Sender Policy Framework
Sender Policy Framework (SPF) tackles email address forgery. Without SPF it is very easy to send e-mails using someone
else's email address. Often you get spam from yourself - this is because the spammer puts your e-mail address
as the sender.
In order for SPF to work you need to publish a list of IP addresses that are used to send e-mails to other
user's on the Internet. When you send an email to someone else on the Internet your SMTP server connects
to the receipient's SMTP server, which knows the IP address of your SMTP server. The receipient's server can
compare this IP with the published records in the DNS for your domain. This is how the recipient's server
can find out if the email was sent by your server or someone posing to be a user on your domain.
Does SPF stop spam?
SPF can stop spam to a certain extent. Although spammers can still send you unwanted e-mails, they will be forced
to use their own domain. SPF can effectively stop viruses or worms from an
infected machine that send out thousands of message to everyone found in your address book.
How do I publish my IP Addresses?
Follow the steps below to publish SPF records.
- Gather the list of IP addresses that you know can send email to the Internet from your organization
- Use this wizard to create an SPF entry for your DNS
- Update your DNS with the string created by the wizard
Once your DNS contains necessary SPF constructs, any server can query it to find out what IP addresses should your email
come from.
Example
For the purpose of this example let us assume the following is true.
| Your domain name is |
mydomain.com |
Your e-mail is handled by:
There are 2 MX records defined in the DNS |
199.199.199.1
199.199.199.2 |
Your web address is:
This refers to your A record |
199.199.199.3
199.199.199.4 |
| Other SMTP servers on your network: |
199.199.199.5
199.199.199.6 |
| No other servers are used to send out e-mails for "mydomain.com" |
|
You can enter the following SPF record, which is a TXT record in the DNS like:
"v=spf1 a mx ip4:199.199.199.5 ip4:199.199.199.6 -all"
This entry tells the recipients SMTP server that an email where the sender's address contains "mydomain.com"
can only come from certain IP addresses. If any other IP address is used to send message the recipient can
reject it.
Each element in the SPF string is separated by a white space. The table below explains what each entry means.
| v=spf1 |
This is the version of SPF |
| a |
Signifies that email can come from any IP address listed as an A record in the DNS |
| mx |
Signifies that email can come from any IP address listed as an MX record in the DNS |
| ip4:199.199.199.5 |
Email can also come from these IP addresses |
| -all |
This means that email can only come from these IP address. If any other IP address is used
the recipient should reject it. Click here
for other possible values for this field. |
Using SPF with ITA Secure Messaging
By default SPF filtering is enabled in ITA Secure Messaging. When an IP Address match or does not match the sender's domain
a score is assigned to that email. You can change the values for these scores. The table below shows a list of
SPF related categories in ITA Secure Messaging.
| PASS |
When the IP address of the sender matches with the published IP addresses in the DNS for this domain
that e-mail is assigned a PASS category. |
| |
| Trusted Domains |
This is special category in ITA Secure Messaging that extends PASS. SPF is designed to prevent email
forgery not spam. However, it can be used to reduce spam. Spammers are smart - they have already
configured their DNS servers to contain SPF records. Giving too much credit to e-mails
that are sent from legitimate IP addresses may let spam messages pass through. If you
trust a domain name and know that no one will send you spam from that address put it in ITA Secure Messaging's
trusted domains. ITA Secure Messaging will give credit to messages where SPF lookup passes and sender's domain
is among trusted domains. |
| |
| SOFTFAIL |
This category is assigned when the message does not meet a domain's strict definition of legitimacy, but the domain cannot
confidently state that the message is a forgery |
| |
| FAIL |
When ITA Secure Messaging can confidently determine a forged address it puts it into this category |
| |
| NEUTRAL |
When SPF lookup cannot validate the sender's IP ITA Secure Messaging assigns this category |
|
