Tuesday, July 10, 2007

Sender Policy Framework (SPF)

The Sender Policy Framework (SPF) is an open standard specifying a technical method to prevent sender address forgery. It is an attempt to control forged e-mail. SPF is not directly about stopping spam – junk email. It is about giving domain owners a way to say which mail sources are legitimate for their domain and which ones aren't.

The current version of SPF — called SPFv1 or SPF Classic — protects the envelope sender address, which is used for the delivery of messages.

Sender authentication protocols are designed to protect against forgery of e-mail sender identities, either in the envelope or in the header. In the envelope, first there is the "HELO" identity, which names the mail server (MTA) that is sending the message. The "MAIL FROM" identity is the e-mail address that is responsible for sending the message and where delivery errors (bounces) will eventually be reported. And the "RCPT TO" identity is the message's recipient address. The header contains another set of identities (besides other meta information about the message, such as the subject and the sending date).

SPF authenticates the envelope HELO and MAIL FROM identities by comparing the sending mail server's IP address to the list of authorized sending IP addresses published by the sender domain's owner in a "v=spf1" DNS record.

SPFv1 allows the owner of a domain to specify their mail sending policy, e.g. which mail servers they use to send mail from their domain. The technology requires two sides to play together:
(1) the domain owner publishes this information in an SPF record in the domain's DNS zone, and when someone else's mail server receives a message claiming to come from that domain, then
(2) the receiving server can check whether the message complies with the domain's stated policy. If, e.g., the message comes from an unknown server, it can be considered a fake.

Example of SPF Record

mydomain.com. TXT "v=spf1 mx a:machine1.mydomain.com include:gmail.com -all"

The parts of this SPF record mean the following:

v=spf1: SPF version 1
mx: the incoming mail servers (MX's) of the domain are authorized to also send mail for mydomain.com
a:machine1.mydomain.com: the machine machine1.mydomain.com is authorized, too
include:gmail.com: everything considered legitimate by gmail.com is legitimate for mydomain.com
-all: all other machines are not authorized

For detailed information on SPF records and their syntax, please refer www.openspf.org
The SPF Setup Wizard: http://old.openspf.org/wizard.html


brianegge said...

That's great that Exchange makes it easy to setup SPF. I would have thought Microsoft would have done more to promote their own SenderID technology. SPF seems to be catching on, but I'm curious to know how effective it is. Does Exchange offer any way to sign your mail with DomainKeys?

Vinay Pal Singh said...

hey brian,
SPF is very much effective but works only if the receving end has configured SPF check... and it is catching up very fast as you said.
Right now Exchange do not offer any way to sign your mail with domainkeys and i doubt MS will work on this as they have their own competing technology in SenderID.

Raj said...

excellent blog there!
got to know about you from Amit...
keep up the good work!


Anonymous said...

Can anyone recommend the well-priced Network Monitoring system for a small IT service company like mine? Does anyone use Kaseya.com or GFI.com? How do they compare to these guys I found recently: N-able N-central network software monitoring
? What is your best take in cost vs performance among those three? I need a good advice please... Thanks in advance!

Kamagra said...

What an interesting stuff! I hope to visit this blog later and find more info about this serious theme.