The Sender Policy Framework (SPF) is an open standard specifying a technical method to prevent sender address forgery. More precisely, the current version of SPF — called SPFv1 or SPF Classic — protects the envelope sender address, which is used for the delivery of messages. See the box on the right for a quick explanation of the different types of sender addresses in e-mails.
- Basic informations about SPF here
First of all you have to setup your SPF record. You can create it using this great wizard. Basically it will turn to be something like:
yourdomain.tld. IN TXT "v=spf1 mx a ip4:<your-ip>/32 ip4:<your-localnet>/24 include:alloweddomain.tld -all"
If your mx domain also appears in the name server's DMZ (DeMilitarized Zone) you should add such a TXT record in there as well, otherwise you will be exposed to spoofing, as spammers can always send you mail messages with your domain in the envelope.
It is important to have an SPF record also for the control/me domain, as the system messages like bounces and so on are sent with the null sender, and the remote MTA will use that domain for the SPF check.
The SPF behavior of your mail server is controlled by the file /var/qmail/control/spfbehavior. You can specify a value between 0 and 6:
- 0 disabled (Default). Never do SPF lookups, don't create Received-SPF headers
- 1 selects 'annotate-only' mode, where qmail-smtpd will annotate incoming email with Received-SPF fields, but will not reject any messages.
- 2 will produce temporary failures on DNS lookup problems so you can make sure you always have meaningful Received-SPF headers.
- 3 selects 'reject' mode, where incoming mail will be rejected if the SPF record says 'fail'.
- 4 selects a more stricter rejection mode, which is like 'reject' mode, except that incoming mail will also be rejected when the SPF record says 'softfail'.
- 5 will also reject when the SPF record says 'neutral'
- 6 if no SPF records are available at all (or a syntax error was encountered).
You can override the value in /var/qmail/control/spfbehavior by setting the SPFBEHAVIOR environment variable (typically in /etc/tcprules.d/tcp.smtp or, if you’ve used these notes as your guide, in ~/vpopmail/etc/tcp.smtp).
Values higher than 3 are strongly discouraged. You probably will want to go with 2 or 3.
Testing
First of all, check the header of your incoming messages. For email senders who don’t have SPF enabled, you should find a Received-SPF header that looks something like this:
Received-SPF: none (0: domain at xxxxxxxxxx does not designate permitted sender hosts)
For email senders who have SPF enabled, you’ll see a header that looks something like this:
Received-SPF: pass(0: SPF record at xxxxxxxxxx designates x.x.x.x as permitted sender)
To run a rejection test, use the highest value (6 ) and restart qmail. Then, from a remote IP address, try telnetting into your mail server and sending a message using a fake email address:
> telnet qmail.yourserver.net 25 Trying [remote-IP]... Connected to [remote-IP]. Escape character is '^]'. 220 qmail.yourserver.net ESMTP mail from: test@nospfdomain.net 250 ok rcpt to: user@yourdomain.net 550 See http://spf.pobox.com/why.html?sender=test%40nospfdomain.net&ip=[sender-IP]&receiver=0 (#5.7.1) quit 221 qmail.yourserver.net Connection closed by foreign host.
Remember to restore to 2 or 3 your /var/qmail/control/spfbehavior file.
Comments
http://spf.pobox.com doesn't exist
Pablo Murillo December 6, 2023 23:44 CET
Finally , I'm back with SPF
I'm doing some test and I found that the URL in the error message dosen't work !
Any idea ?
host -t a spf.pobox.com
Host spf.pobox.com not found: 3(NXDOMAIN)
Reply | Permalink
http://spf.pobox.com doesn't exist
Roberto Puzzanghera Pablo Murillo December 7, 2023 05:55 CET
I think I've fixed this in June 30 patch. Are you using the latest patch?
Reply | Permalink
http://spf.pobox.com doesn't exist
Pablo Murillo Roberto Puzzanghera December 7, 2023 16:16 CET
Sorrryyyyy !!!
I missed the last 2 patchs !!!
To mucho work !
Sorry !
Reply | Permalink
SPF not rejecting messages
Pablo Murillo August 24, 2023 06:06 CET
Hi
After a lot of work, finally I have SPF "working"
The incoming emails are marked by SPF, but setting spfbehavior on 3 ,4,5 or 6, the message is not rejected
The emails has the spf header, but not rejection
What i'm mising ?
spfbehavior has 644 qmaild qmail permission
Can I debug spf ?
Txs
Pablo Murillo
Reply | Permalink
SPF not rejecting messages
Roberto Puzzanghera Pablo Murillo August 24, 2023 10:15 CET
Hi, don't you have messages like this in your log?
try to test sending yourself a mail with that domain as sender. It has a a bad spf record which fails also with spfbehaviour=3
Reply | Permalink
SPF not rejecting messages
Pablo Murillo Roberto Puzzanghera October 30, 2023 18:18 CET
Hi
I was working with other stuff and I forget completly SPF
Now I'm back, and now I don't see the headers any more !
Ajajaja
I re-compile but, nothing
I'm completly lost
I will check everything again !
Reply | Permalink
SPF not rejecting messages
Roberto Puzzanghera Pablo Murillo October 30, 2023 19:17 CET
I have spfbehaviour with 644 root.root privileges
I suggest using strace against qmail-smtpd to see what's going on
Reply | Permalink
SPF not rejecting messages
Pablo Murillo Roberto Puzzanghera October 31, 2023 05:32 CET
openat(AT_FDCWD,"control/spfbehavior",O_RDONLY|O_NONBLOCK,00) = 4 (0x4)
read(4,"3\n",64) = 2 (0x2)
close(4) = 0 (0x0)
openat(AT_FDCWD,"control/spfrules",O_RDONLY|O_NONBLOCK,00) = 4 (0x4)
read(4,"include:spf.trusted-forwarder.or"...,64) = 34 (0x22)
close(4) = 0 (0x0)
openat(AT_FDCWD,"control/spfguess",O_RDONLY|O_NONBLOCK,00) ERR#2 'No such file or directory'
openat(AT_FDCWD,"control/spfexp",O_RDONLY|O_NONBLOCK,00) ERR#2 'No such file or directory'
Reply | Permalink
SPF not rejecting messages
Roberto Puzzanghera Pablo Murillo October 31, 2023 05:34 CET
It seems ok..
Reply | Permalink