Creating SPF records

Our organization decided to add SPF (Sender Policy Framework) records to our DNS servers. SPF records are DNS TXT resource records that provide a list of servers that may legitimately send mail on behalf of a domain.

In our organization, our mail exchangers both send and receive mail for our domain. We cannot say with certainty that only our mail exchangers are allowed to legitimately send mail for our domain, so we will use a ?all "neutral" directive at the end of our SPF record.

Our SPF record is as follows:

example.com.          86400   IN      TXT     "v=spf1 mx ?all"

In addition, each of our mail exchangers should have an SPF record to allow remote systems to verify the authenticity of Delivery Status Notifications (DSNs). Because DSNs are sent with a null envelope sender address to prevent "double bounces," SPF implementations perform a lookup of the domain supplied with the SMTP EHLO or HELO command.

From http://www.ietf.org/internet-drafts/draft-ietf-marid-mailfrom-00:

   [RFC2821] allows the reverse-path to be null (see Section 4.5.5.) In
   this case, there is no explicit sender mailbox, and such a message
   can be assumed to be a notification message from the mail system
   itself.  When the reverse-path is null, this document defines the
   "Mail From" identity to be the mailbox composed of the localpart
   "postmaster" and the domain supplied with the SMTP EHLO or HELO
   command.  Note that requirements for the domain presented in the EHLO
   and HELO commands are not strict, and software must be prepared for a
   "Mail From" identity so constructed to be ill formed.

Here are the appropriate SPF records for our mail exchangers, assuming our example.com domain has two mail exchangers named host1.example.com and host2.example.com:

host1.example.com.          86400   IN      TXT     "v=spf1 a -all"
host2.example.com.          86400   IN      TXT     "v=spf1 a -all"

Since we can say with certainty that only host1.example.com should be able to send DSNs from host1.example.com, it is appropriate to use -all "fail" at the end of the SPF record.

More information:

http://spf.pobox.com/
http://spf.pobox.com/newheader.html
http://spfwiki.infinitepenguins.net/wiki/SenderPermittedFrom/HomePage

Back to brandonhutchinson.com.

Last modified: 11/30/2004