Sender Policy Framework (SPF): Difference between revisions
No edit summary |
No edit summary |
||
(2 intermediate revisions by the same user not shown) | |||
Line 11: | Line 11: | ||
</pre> | </pre> | ||
In this example, the domain "example.com" is strictly and only allowed to send from IP ''1.2.3.4'' or from the CIDR network ''4.3.2.0/24'' (4.3.2.1 - 4.3.2.254). This example-record consists of 3 parts: | In this example, the domain "example.com" is strictly and only allowed to send from IP ''1.2.3.4'' or from the [[CIDR]] network ''4.3.2.0/24'' (4.3.2.1 - 4.3.2.254). This example-record consists of 3 parts: | ||
# Version (v=spf1) | # Version (v=spf1) | ||
Line 23: | Line 23: | ||
==Method== | ==Method== | ||
SPF offers 8 mechanisms | SPF offers 8 mechanisms: | ||
{| class="wikitable" style="margin:auto" | {| class="wikitable" style="margin:auto" | ||
Line 29: | Line 29: | ||
|- | |- | ||
! Switch !! Example !! Description | ! Switch !! Example !! Description | ||
|- | |||
! scope="row"| A | |||
|| <code>A</code> || Matches the domain's A-record. | |||
|- | |||
! scope="row"| All | |||
|| <code>ALL</code> || Matches always. This mechanism is rarely used. | |||
|- | |||
! scope="row"| EXISTS | |||
|| <code>exists:example.com</code> || Matches the IP behind the domain. Can be used with [https://www.jamieweb.net/blog/using-spf-macros-to-solve-the-operational-challenges-of-spf/ SPF macro language] and is rarely used. | |||
|- | |- | ||
! scope="row"| IP4 | ! scope="row"| IP4 | ||
Line 38: | Line 47: | ||
! scope="row"| INCLUDE | ! scope="row"| INCLUDE | ||
|| <code>include:subdomain.example.com</code> || Include the results of the SPF record of another domain. | || <code>include:subdomain.example.com</code> || Include the results of the SPF record of another domain. | ||
|- | |- | ||
! scope="row"| MX | ! scope="row"| MX | ||
Line 59: | Line 65: | ||
|- | |- | ||
! scope="row"| +all | ! scope="row"| +all | ||
|| PASS | || PASS || SPF returns PASS, even if it fails. This renders SPF obsolete and is not considered valid by all [[ISP]]s. | ||
|- | |- | ||
! scope="row"| ?all | ! scope="row"| ?all | ||
|| NEUTRAL | || NEUTRAL || SPF returns NEUTRAL, even if it fails. | ||
|- | |- | ||
! scope="row"| ~all | ! scope="row"| ~all | ||
|| SOFTFAIL | || SOFTFAIL || SPF returns SOFTFAIL when it fails. | ||
|- | |- | ||
! scope="row"| -all | ! scope="row"| -all | ||
|| FAIL | || FAIL || SPF returns FAIL when it fails. Can break things when using [[mailing lists]]. | ||
|} | |} | ||
Line 87: | Line 93: | ||
=Useful links= | =Useful links= | ||
* [https://international.eco.de/download/223621/ E-Mail authentication for senders] | |||
* [https://international.eco.de/download/209121/ E-Mail authentication for recipients] | |||
* [https://www.rfc-editor.org/rfc/rfc7208.html RFC 7208] | * [https://www.rfc-editor.org/rfc/rfc7208.html RFC 7208] | ||
* [[wikipedia:Sender_Policy_Framework]] |
Latest revision as of 21:08, 12 September 2023
SPF (Sender Policy Framework) is an E-Mail domain authentication method, designed to protect E-Mail sender domains (RFC5321.MailFrom) from forgery (spoofing). SPF is defined as a "proposed standard" in RFC 7208. SPF is required for DMARC and it's the base for SenderID.
Functionality
An SPF record is a DNS TXT record that defines which IPs are allowed to send with the domain in question. An example of a very simple SPF record is:
example.com descriptive text "v=spf1 ip4:1.2.3.4 ip4:4.3.2.0/24 -all"
In this example, the domain "example.com" is strictly and only allowed to send from IP 1.2.3.4 or from the CIDR network 4.3.2.0/24 (4.3.2.1 - 4.3.2.254). This example-record consists of 3 parts:
- Version (v=spf1)
- Method (ip4:1.2.3.4 ip4:4.3.2.0/24)
- Policy qualifier (-all)
Version
Since SenderID is deprecated, there is only one SPF version: spf1.
Method
SPF offers 8 mechanisms:
Switch | Example | Description |
---|---|---|
A | A |
Matches the domain's A-record. |
All | ALL |
Matches always. This mechanism is rarely used. |
EXISTS | exists:example.com |
Matches the IP behind the domain. Can be used with SPF macro language and is rarely used. |
IP4 | ip4:4.3.2.0/24 |
Includes IPv4 addresses. |
IP6 | ip6:2001:db8:a::123/64 |
Includes IPv6 addresses. |
INCLUDE | include:subdomain.example.com |
Include the results of the SPF record of another domain. |
MX | MX |
Matches all IPs in the domain's MX-record. |
PTR | PTR |
Matches only if the reverse DNS (PTR) for the client's address is in the domain in question and the PTR record resolves back to the domain's A or AAAA record. Should be avoided! |
Policy qualifier
The policy qualifier defines what to do when all previous methods fail. The following qualifiers are available:
Switch | Name | |
---|---|---|
+all | PASS | SPF returns PASS, even if it fails. This renders SPF obsolete and is not considered valid by all ISPs. |
?all | NEUTRAL | SPF returns NEUTRAL, even if it fails. |
~all | SOFTFAIL | SPF returns SOFTFAIL when it fails. |
-all | FAIL | SPF returns FAIL when it fails. Can break things when using mailing lists. |
Forwarding an E-Mail with the RFC5321.MailFrom unchanged, but from a different IP, breaks SPF authentication. For this reason ~all is sometimes preferred over -all.
Alignment
Main article: Alignment
SPF aligns when the RFC5321.MailFrom domain matches the RFC5322.From domain. In laymen terms: When the envelope-from domain matches the sender domain.
Controversy around SPF
Main article: Controversy around SPF
SPF in InboxSys app
To check your SPF record, send a message to your seedlist and look in the authentication section of the E-Mail analysis.