Creating SPF records
Our organization decided to add SPF (Sender Policy Framework) records
to our DNS servers. SPF records are DNS TXT resource records that
provide a list of servers that may legitimately send mail on behalf of
a domain.
In our organization, our mail exchangers both send and receive mail for
our domain. We cannot say with certainty that only our mail exchangers are
allowed to legitimately send mail for our domain, so we will use a ?all "neutral" directive at the end
of our SPF record.
Our SPF record is as follows:
example.com.
86400 IN
TXT "v=spf1 mx ?all"
In addition, each of our mail exchangers should have an SPF record to
allow remote systems to verify the authenticity of Delivery Status
Notifications (DSNs). Because DSNs are sent with a null envelope sender
address to prevent "double bounces," SPF implementations perform a
lookup of the domain supplied with the SMTP EHLO or HELO command.
From http://www.ietf.org/internet-drafts/draft-ietf-marid-mailfrom-00:
[RFC2821] allows the
reverse-path to be null (see Section 4.5.5.) In
this case, there is
no explicit sender mailbox, and such a message
can be assumed to be
a notification message from the mail system
itself. When
the reverse-path is null, this document defines the
"Mail From" identity
to be the mailbox composed of the localpart
"postmaster" and the
domain supplied with the SMTP EHLO or HELO
command. Note
that requirements for the domain presented in the EHLO
and HELO commands
are not strict, and software must be prepared for a
"Mail From" identity
so constructed to be ill formed.
Here are the appropriate SPF records for our mail exchangers, assuming
our example.com domain has
two mail exchangers named host1.example.com
and host2.example.com:
host1.example.com.
86400 IN
TXT "v=spf1 a -all"
host2.example.com.
86400 IN
TXT "v=spf1 a -all"
Since we can say with certainty that only host1.example.com should be able to
send DSNs from host1.example.com,
it is appropriate to use -all "fail"
at the end of the SPF record.
More information:
http://spf.pobox.com/
http://spf.pobox.com/newheader.html
http://spfwiki.infinitepenguins.net/wiki/SenderPermittedFrom/HomePage
Back to brandonhutchinson.com.
Last modified: 11/30/2004