March 15, 2020 Roberto Puzzanghera0 comments
The Sender Policy Framework (SPF) is an open standard specifying a technical method to prevent sender address forgery. More precisely, the current version of SPF — called SPFv1 or SPF Classic — protects the envelope sender address, which is used for the delivery of messages. See the box on the right for a quick explanation of the different types of sender addresses in e-mails.
First of all you have to setup your SPF record. You can create it using this great wizard. Basically it will turn to be something like:
yourdomain.tld. IN TXT "v=spf1 mx a ip4:<your-ip>/32 ip4:<your-localnet>/24 include:alloweddomain.tld -all"
If your mx domain also appears in the name server's DMZ (DeMilitarized Zone) you should add such a TXT record in there as well, otherwise you will be exposed to spoofing, as spammers can always send you mail messages with your domain in the envelope.
SPF behavior of your mail server is controlled by the file
/var/qmail/control/spfbehavior. You can specify a value between 0 and 6:
You can override the value in
/var/qmail/control/spfbehavior by setting the SPFBEHAVIOR environment variable (typically in
/etc/tcprules.d/tcp.smtp or, if you’ve used these notes as your guide, in
Values higher than 3 are strongly discouraged. You probably will want to go with 2 or 3.
First of all, check the header of your incoming messages. For email senders who don’t have SPF enabled, you should find a Received-SPF header that looks something like this:
Received-SPF: none (0: domain at does not designate permitted sender hosts)
For email senders who have SPF enabled, you’ll see a header that looks something like this:
Received-SPF: pass(0: SPF record at designates x.x.x.x as permitted sender)
To run a rejection test, use the highest value (6 ) and restart qmail. Then, from a remote IP address, try telnetting into your mail server and sending a message using a fake email address:
> telnet qmail.yourserver.net 25 Trying [remote-IP]... Connected to [remote-IP]. Escape character is '^]'. 220 qmail.yourserver.net ESMTP mail from: email@example.com 250 ok rcpt to: firstname.lastname@example.org 550 See http://spf.pobox.com/why.html?sender=test%40nospfdomain.net&ip=[sender-IP]&receiver=0 (#5.7.1) quit 221 qmail.yourserver.net Connection closed by foreign host.
Remember to restore to 2 or 3 your
apache clamav dkim dovecot ezmlm fail2ban hacks lamp letsencrypt linux linux-vserver lxc mariadb mediawiki mozilla mysql openboard owncloud patches php proftpd qmail qmailadmin rbl roundcube rsync sieve simscan slackware spamassassin spf ssh ssl surbl tcprules tex ucspi-tcp vpopmail vqadmin