Did you ever receive spam mails which seem to originate from your own mail address? Or did anybody else complain about you sending those emails? Then you should take a look at SPF. In a nutshell, it plugs the holes in the SMTP protocoll, which does not allow to verify if a sender (or anybody who pretends to be that sender) really may use a particular mail server to transmit their mails. Unfortunately, SPF is not yet very wide-spread. Almost everybody (including me) has come across this abbreviation and/or heard that it might protect misuse of mail addresses. But most people (including me) cannot be bothered to implement it.
But as I took a closer view at it recently, it turned out to be a pretty simple task. Only people with loads of domain names and/or restricted nameserver control might run into problems.
In a nutshell, you only need to do this in order to get SPF running on your own server and to tell other mail servers how to deal with your domain name:
- add a policy daemon to your MTA (e.g. postfix-policyd-spf) — pretty easy, really!
- add SPF/TXT records to your zonefiles as described here
That’s it, honestly. Assuming, you have successfully finished the two tasks, your mail server will block all mails that originate from domains, which have SPF records set and been delivered through other than the allowed hosts. And your domains will be protected from being misused on all other mail servers which use SPF as well.
Example:
example.com. IN MX 10 mail mail.example.com. IN TXT "v=spf1 mx -all mail.example.com. IN A 1.2.3.4
Now, mails from johndoe@example.com must be delivered through the mailserver mail.example.com. All mailservers which implement SPF will refuse to accept mails from other than that server. Especially the big players like Googlemail do make use of SPF. Although some don’t block mails, they at least add a telling header which makes spam-filtering easier:
Received-SPF: fail (google.com: domain of mail@***.co.uk does not designate 85.***.***.*** as permitted sender) client-ip=85.***.***.*** Authentication-Results: mx.google.com; spf=hardfail (google.com: domain of mail@***.co.uk does not designate 85.***.***.*** as permitted sender) smtp.mail=mail@***.co.uk
So what are you waiting for? The more people make SPF mandatory on their servers, the better is its protection against SPAM.
