The Sender Policy Framework (SPF) is a community-based effort, which requires senders to publish their mail server in an SPF record. Whenever an email is received, a check is made to see if the server which sent it is allowed to send emails on behalf of the sender s domain. The purpose of this filter is to detect forged senders.
For example: you receive a message from 'firstname.lastname@example.org' from machine with IP '18.104.22.168'. SPF works by asking 'somedomain.com' if '22.214.171.124' is allowed to send email on its behalf.
For SPF to work, the sender's domain ('somedomain.com' in this example) must publish, via DNS TXT records, the hosts which are allowed to send email on its behalf. Thus SPF requires both sender and recipient collaboration. If this information is not published then SPF will return 'unknown', or 'none'.
SPF checks the last external IP. If GFI MailEssentials is installed on a machine in the perimeter than the last external IP is easily obtainable by checking the IP of the mail server that connected to Internet Information Services (IIS).
If GFI MailEssentials is not installed on the perimeter server, you need to configure the perimeter SMTP servers that are receiving emails from the internet. GFI MailEssentials will parse the message headers for the 'Received lines' which will contain the IP addresses of the servers from where the message has passed. To get the IP address of the sender s mail server, GFI MailEssentials checks all the IP's in the header until an IP is:
- Found in the perimeter SMTP servers list.
- Followed by an IP address which is not in the perimeter SMTP servers list. The latter IP is the external IP.
The following example assumes that 126.96.36.199 is in the perimeter list. GFI MailEssentials is installed on 'hostb' and is being forwarded email from 'hosta' (188.8.131.52).
Received: from hosta ([184.108.40.206]) by hostb with Microsoft SMTPSVC;
Tue, 11 Jan 2005 18:53:30 +0100
Received: from external.com ([220.127.116.11]) by hosta with Microsoft SMTPSVC;
Tue, 11 Jan 2005 18:53:19 +0100
Following the logic above, GFI MailEssentials will find the perimeter IP which is followed by a non-perimeter IP, in this case 18.104.22.168. If somedomain.com confirms that 22.214.171.124 is allowed to send email on its behalf the email is passed through the rest of the anti-spam plugins, otherwise the email is marked as spam.
The following procedure explains how to create an SPF record for your domain. The procedure can be divided in the following stages:
- Determine domain name which is used to send emails to the internet
- Determine the public IP address(es) that are used to send emails
- Create your SPF
- Publish the SPF record in your DNS Server
Determine domain name which is used to send emails to the internet:
An SPF record is created for a domain, therefore you need to first identify what domain is used when emails are sent to the internet from your domain. The domain is the last part of your email address.
Determine the public IP address(es) that are use to send emails:
In order for SPF to determine that an email has been received from a legitimate sender, it will check the sender mail server IP address and compare it to the content contained in the SPF record. In order to properly configure an SPF record, you will need to obtain all the public IP addresses which are used to send emails to the internet from your domain.
Create your SPF record:
The wizard found at http://www.microsoft.com/mscorp/safety/content/technologies/senderid/wizard/ offers a step by step wizard which explains how to create your SPF record.
In order for the SPF record to be queried, it would need to be published on the authoritative DNS server for your domain. The DNS Server could be hosted locally within the organization or managed by your ISP.
If your DNS records are managed by your ISP, you would need to provide the text from the SPF Setup Wizard to your ISP and ask them to add it to the TXT record of your domain.
If the domain is hosted on a local DNS server, you will need to manually add the TXT SPF record to your DNS Server. The following procedure explains how to add a TXT SPF record on the DNS server included with Windows 2003 Server:
- Login to the DNS server using administrative privileges
- Open the 'DNS' Console in 'Administrative Tools'
- Expand 'DNS' > 'Forward Lookup Zones'
- Select and open the domain in which you wish to add the SPF record. Right-click in the record list and select 'Other New Records..' from the menu
- Select the 'Text (TXT)' record and click on the 'Create Record...' button
- Type the SPF record data in the 'Text' textbox. Click the 'OK' button.
- Click on the 'Done' button to close the window and the SPF record is added
- It is important to note that all public perimeter IPs should be included in the GFI MailEssentials configuration as GFI MailEssentials will search for them when parsing message headers
- Confirm which DNS-server GFI MailEssentials uses. In most cases this will be an internal DNS server. If you have an external zone in your internal DNS server, then you need to setup the SPF-record for your domain in the DNS-record of your internal DNS server as well as the external one
- More information regarding the Sender Policy Framework (SPF) can be found at: http://openspf.org/