Netmail Archive 5.x
Sender Policy Framework (SPF) is an initiative aimed at preventing email address spoofing, a strategy often used by spammers or virus writers. When SPF is enabled and a messages is received, the SPF agent verifies the SPF records in the DNS configuration of the sender's domain so it can establish whether the IP address of the sending host is an authorized sender. If there is an IP address match, the mail message is accepted for delivery; if the sending host is not authorized, the mail message is rejected. Unlike rDNS, the SPF approach does not assume the message is being spoofed if it does not find an SPF record in the DNS record for that domain. This means that SPF is not a restrictive checking method and does not generate a high number of false positives.
An SPF record is a TXT record that is part of a domain's DNS zone file. Adding SPF records to your mail server's DNS zone file helps other mail servers (with SPF checking enabled) to validate your sending domain, thus preventing other individuals from spoofing your email addresses. It is, therefore, in your best interest to ensure that your SPF records are maintained in the DNS zone, and to encourage any clients, suppliers, and other organizations that you communicate with to do the same. This is because SPF support only works for those domains that put SPF definitions in their DNS zone file. For more information on this initiative, visit http://www.openspf.org.
The objective of this article is to explain the basic workings and functionality of the Sender Policy Framework (SPF), and how to configure a proper SPF record for a domain(s). This article will also explain how to verify if the Netmail Secure SPF agent is active so it can block the majority of incoming spoofed messages, and how to configure the SPF agent to allow mail from trusted external IP addresses.
Most email administrators are familiar with spoofing spam, in which message headers of incoming spam messages are modified to display a spoofed 'Mail From' value so the mail appears to originate from the organization's mail server, when it actually did not. The diagram below illustrates how Netmail Secure utilizes the SPF framework to check SPF records associated with incoming email and subsequently either drop or allow a message:
As shown in the diagram, Netmail Secure will check the SPF records (in the form of TXT DNS records) of the mail server used by the incoming (and in this case, spoofed) email message. In the example above, 'mydomain.com' is Netmail Secure's domain, but the incoming (spoofed) email is also supposedly from mydomain.com, even though it actually originated elsewhere. The TXT record for the example shown above would look like this:
SPF parses the record from left to right: the v=spf1 means that a specific SPF version is in use. The ip4:220.127.116.11 is the IP address(or addresses) that are allowed to send messages to this domain. The -all parameter means a 'hard fail' is configured for any matching IP address, a.k.a. 'Drop the Connection.'
Once the SPF record is parsed, the receiving mail server determines if there is a match between the sending mail server's IP address (in this case, 18.104.22.168) and the addresses authorized in the SPF record to send mail to the domain (22.214.171.124, in this case). Since the spammer's IP address (126.96.36.199) is not authorized, the message will be dropped.
Enabling SPF Checking
In addition to maintaining the SPF record, make sure SPF checking is enabled in Netmail Secure. To use the SPF Module for SPF checking, the Agent Enabled option must be selected.
To do this, log in to the Netmail Web Administration console and enable the SPF agent in the SMTP modules container (refer to the screenshot below) by selecting the SPF Agent Enabled checkbox under the Details tab:
Configuring Ignored Addresses
This option configures the SPF agent to ignore an IP address or a range of IP addresses that would otherwise be flagged as spam by the SPF Module. To add an ignored address, enter the IP address (or range of IP addresses) in the Module Options section > Ignored Addresses field of the Netmail WebAdministration console, and click the Add button. To edit an existing ignored address, highlight the address in the list box, and click Advanced Edit. To delete an ignored address from the list, highlight the address in the list box, and click Remove.
Viewing SPF Records
To view your SPF record (or the SPF record of any domain) use the "nslookup" command on Windows workstations. To do this, use the following commands:
1. Open a command prompt (Start > Run > cmd).
2. Type nslookup followed by the enter key; a slightly different prompt will be visible.
3. Type set type=txt
4. Enter the domain whose record you want to lookup (e.g., mademo.info in the screenshot below).
5. Results similar to the following will be returned:
A helpful web based wizard and more information on the OpenSPF framework can be found at http://www.openspf.org