SPF

March 15, 2020 Roberto Puzzanghera0 comments

  • Basic informations about SPF here

First of all you have to setup your SPF record. You can create it using this great wizard. Basically it will turn to be something like:

yourdomain.tld. IN TXT "v=spf1 mx a ip4:<your-ip>/32 ip4:<your-localnet>/24 include:alloweddomain.tld -all"

If your mx domain also appears in the name server's DMZ (DeMilitarized Zone) you should add such a TXT record in there as well, otherwise your will be exposed to spoofing, as spammers can always send you mail messages with your domain in the envelope.

SPF behavior of your mail server is controlled by the file /var/qmail/control/spfbehavior. You can specify a value between 0 and 6:

  • 0 disabled (Default). Never do SPF lookups, don't create Received-SPF headers
  • 1 selects 'annotate-only' mode,  where  qmail-smtpd  will  annotate  incoming  email with Received-SPF fields, but will not reject any messages. 
  • 2 will produce temporary failures on DNS lookup problems so you can make sure you always have meaningful Received-SPF headers. 
  • 3 selects  'reject'  mode,  where  incoming  mail  will be rejected if the SPF record says 'fail'. 
  • 4 selects a more stricter rejection mode, which is like 'reject' mode, except that incoming mail will also be rejected when the SPF record says 'softfail'. 
  • 5 will also reject when the SPF record says 'neutral'
  • 6 if no SPF records are available at all (or a syntax error was encountered).

You can override the value in /var/qmail/control/spfbehavior by setting the SPFBEHAVIOR environment variable (typically in /etc/tcprules.d/tcp.smtp or, if you’ve used these notes as your guide, in ~/vpopmail/etc/tcp.smtp).

Values higher than 3 are strongly discouraged. You probably will want to go with 2 or 3.

Testing

First of all, check the header of your incoming messages. For email senders who don’t have SPF enabled, you should find a Received-SPF header that looks something like this:

Received-SPF: none (0: domain at  does not designate permitted sender hosts)

For email senders who have SPF enabled, you’ll see a header that looks something like this:

Received-SPF: pass(0: SPF record at  designates x.x.x.x as permitted sender)

To run a rejection test, use the highest value (6 ) and restart qmail. Then, from a remote IP address, try telnetting into your mail server and sending a message using a fake email address:

> telnet qmail.yourserver.net 25
Trying [remote-IP]...
Connected to [remote-IP].
Escape character is '^]'.
220 qmail.yourserver.net ESMTP
mail from: test@nospfdomain.net
250 ok
rcpt to: user@yourdomain.net
550 See http://spf.pobox.com/why.html?sender=test%40nospfdomain.net&ip=[sender-IP]&receiver=0 (#5.7.1)
quit
221 qmail.yourserver.net
Connection closed by foreign host.

Remember to restore to 2 or 3 your /var/qmail/control/spfbehavior file.

Add a comment