Sender Policy Framework (SPF): Difference between revisions

From InboxSys document library
Jump to navigation Jump to search
No edit summary
No edit summary
 
Line 23: Line 23:
==Method==
==Method==


SPF offers 8 mechanisms. The following 6 are the most important:
SPF offers 8 mechanisms:


{| class="wikitable" style="margin:auto"
{| class="wikitable" style="margin:auto"
Line 29: Line 29:
|-
|-
! Switch !! Example !! Description
! Switch !! Example !! Description
|-
! scope="row"| A
|| <code>A</code> || Matches the domain's A-record.
|-
! scope="row"| All
|| <code>ALL</code> || Matches always. This mechanism is rarely used.
|-
! scope="row"| EXISTS
|| <code>exists:example.com</code> || Matches the IP behind the domain. Can be used with [https://www.jamieweb.net/blog/using-spf-macros-to-solve-the-operational-challenges-of-spf/ SPF macro language] and is rarely used.
|-
|-
! scope="row"| IP4  
! scope="row"| IP4  
Line 38: Line 47:
! scope="row"| INCLUDE  
! scope="row"| INCLUDE  
|| <code>include:subdomain.example.com</code> || Include the results of the SPF record of another domain.
|| <code>include:subdomain.example.com</code> || Include the results of the SPF record of another domain.
|-
! scope="row"| A
|| <code>A</code> || Matches the domain's A-record.
|-
|-
! scope="row"| MX  
! scope="row"| MX  
Line 59: Line 65:
|-
|-
! scope="row"| +all  
! scope="row"| +all  
|| PASS
|| PASS || SPF returns PASS, even if it fails. This renders SPF obsolete and is not considered valid by all [[ISP]]s.
|-
|-
! scope="row"| ?all  
! scope="row"| ?all  
|| NEUTRAL
|| NEUTRAL || SPF returns NEUTRAL, even if it fails.
|-
|-
! scope="row"| ~all  
! scope="row"| ~all  
|| SOFTFAIL
|| SOFTFAIL || SPF returns SOFTFAIL when it fails.
|-
|-
! scope="row"| -all  
! scope="row"| -all  
|| FAIL
|| FAIL || SPF returns FAIL when it fails. Can break things when using [[mailing lists]].
|}
|}


Line 90: Line 96:
* [https://international.eco.de/download/209121/ E-Mail authentication for recipients]
* [https://international.eco.de/download/209121/ E-Mail authentication for recipients]
* [https://www.rfc-editor.org/rfc/rfc7208.html RFC 7208]
* [https://www.rfc-editor.org/rfc/rfc7208.html RFC 7208]
* [[wikipedia:Sender_Policy_Framework]]

Latest revision as of 21:08, 12 September 2023

SPF (Sender Policy Framework) is an E-Mail domain authentication method, designed to protect E-Mail sender domains (RFC5321.MailFrom) from forgery (spoofing). SPF is defined as a "proposed standard" in RFC 7208. SPF is required for DMARC and it's the base for SenderID.

Functionality

An SPF record is a DNS TXT record that defines which IPs are allowed to send with the domain in question. An example of a very simple SPF record is:

example.com descriptive text "v=spf1 ip4:1.2.3.4 ip4:4.3.2.0/24 -all"

In this example, the domain "example.com" is strictly and only allowed to send from IP 1.2.3.4 or from the CIDR network 4.3.2.0/24 (4.3.2.1 - 4.3.2.254). This example-record consists of 3 parts:

  1. Version (v=spf1)
  2. Method (ip4:1.2.3.4 ip4:4.3.2.0/24)
  3. Policy qualifier (-all)

Version

Since SenderID is deprecated, there is only one SPF version: spf1.

Method

SPF offers 8 mechanisms:

SPF methods
Switch Example Description
A A Matches the domain's A-record.
All ALL Matches always. This mechanism is rarely used.
EXISTS exists:example.com Matches the IP behind the domain. Can be used with SPF macro language and is rarely used.
IP4 ip4:4.3.2.0/24 Includes IPv4 addresses.
IP6 ip6:2001:db8:a::123/64 Includes IPv6 addresses.
INCLUDE include:subdomain.example.com Include the results of the SPF record of another domain.
MX MX Matches all IPs in the domain's MX-record.
PTR PTR Matches only if the reverse DNS (PTR) for the client's address is in the domain in question and the PTR record resolves back to the domain's A or AAAA record. Should be avoided!

Policy qualifier

The policy qualifier defines what to do when all previous methods fail. The following qualifiers are available:

SPF policy qualifiers
Switch Name
+all PASS SPF returns PASS, even if it fails. This renders SPF obsolete and is not considered valid by all ISPs.
?all NEUTRAL SPF returns NEUTRAL, even if it fails.
~all SOFTFAIL SPF returns SOFTFAIL when it fails.
-all FAIL SPF returns FAIL when it fails. Can break things when using mailing lists.

Forwarding an E-Mail with the RFC5321.MailFrom unchanged, but from a different IP, breaks SPF authentication. For this reason ~all is sometimes preferred over -all.

Alignment

Main article: Alignment

SPF aligns when the RFC5321.MailFrom domain matches the RFC5322.From domain. In laymen terms: When the envelope-from domain matches the sender domain.

Controversy around SPF

Main article: Controversy around SPF

SPF in InboxSys app

To check your SPF record, send a message to your seedlist and look in the authentication section of the E-Mail analysis.

Useful links