Sender Policy Framework (SPF)

Posted by Mike Haller on Sunday, August 17. 2008 at 15:51 in Hosting

A few weeks ago I wanted to make all my hosted domains SPF-enabled. Sender Policy Framework is a great way to prevent forged mails. With SPF, mail servers check whether a mail is allowed to be sent by a specific server.

I'm going to be restrictive here and only allow our mail server to send mails from our hosted domains. This will for example stop spam from sdfjnsd@mydomain.com to mike@mydomain.com. Of course, that's not the only thing which will be made a lot harder for spammers. The domain itself is protected much better and spammers seem to refuse misusing domains with SPF information.

Before activating it on all life domains, I took a private domain to test the configuration with. I changed the domain name server zone file for mhaller.de to contain the following TXT resource record:

@ IN MX 10 mail.smartwerkz.com.
@ IN TXT "v=spf1 mx -all"


This entry tells mail servers that only mail.smartwerkz.com (The MX record) is allowed to send emails originating from mhaller.de (The @ record).

If anyone else tries to send an email for mhaller.de, it should be rejected (The -all attribute).

Waiting a few minutes to let the name server upgrade finish, I sent a test mail from info@mhaller.de to check-auth@verifier.port25.com. To send the mail, I used our primary mail server mail.smartwerkz.com.

The feedback response failed unexpectedly. The reason was that the mail server, running courier-mta, identified itself as being mail.smartwerkz.com, which is correct according to the me-configuration setting. But the originating TCP address was the main IP address, instead of a dedicated mailserver interface, as I was expecting.

(Connection from elma.smartwerkz.com to verifier.port25.com)
C: HELO mail.smartwerkz.com
S: Welcome elma.smartwerkz.com


Since my courier-mta installation has it's own IP address it should have been connecting using it's dedicated interface (mail.smartwerkz.com), instead of the server's default primary interface, which is elma.smartwerkz.com.

The configuration setting SOURCE_ADDRESS in the courierd configuration file let me change the IP address from which outgoing mails are sent. Note that this configuration settings is not in the documentation and you won't find much about it using Google. I changed it to the dedicated IP and the next test mail passed the SPF authentication checks.

Now I'm going to update the zonefiles of all the domains to contain the SPF entries.

Then, our domains will be member of the 10% of the world-wide domains providing SPF information.




Add Comment

Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.
E-Mail addresses will not be displayed and will only be used for E-Mail notifications
 
Submitted comments will be subject to moderation before being displayed.
 

About

My name is Mike Haller and I'm a software developer and architect at Innovations Software Technology in Germany. I love programming, playing games and reading books. I like good food, making photos and learning and mentoring about the craftsmanship of commercial software development.

Quicksearch

Quick Links

Archives

August 2010 (2)
June 2010 (2)
May 2010 (2)
Recent...
Older...

Categories



All categories