Sender Policy Framework
Related On This Site
  • Webmaster An index of all articles in the Webmaster Category.

As I recently went through the trouble of re-building my own email server, I came across a relatively new thing called the Sender Policy Framework. Essentially what it is is a way for people to configure the IP addresses of mail that would potentially be sending out mail for a particular domain.

It's not a perfect solution by any means, but it is pretty easy to set up for those of us who can fit within a relatively short list of defined good mail servers.

Here's how it works.

Basically, you set up a dns entry that presents a valid list of sending IP's, Domains, or includes. When a mail server receives mail coming from your domain, it checks this dns entry to see if the mail is coming from a valid location. If not, the e-mail is a forgery and can be rejected.

Not all mail servers out on the web utilize SPF, but the number of ones that do is growing pretty rapidly. Most mail applications have support in some manner for SPF - whether it is built in, available via a patch, or a user community contribution of some sort.

The problem of mail forgery has definitely affected me. I've received bounce messages from various domains under my control for quite some time now - and until I found this framework I did not know there was a solution that would help me to keep this problem under control. I even had one person call me to let me know that his phone had been spammed with e-mail supposedly coming from my domain. I got a hold of the message, ran a whois query on the domain linked in the message (I think they were hocking "male enhancement pills" or something similar), and contacted the owner to yell at them. Of course, the owner was a 75 year old lady who didn't know what the internet was, so that didn't turn out to be very fruitful in the end.

My point after all that babbling is that forged emails are a big problem. SPF helps to resolve it. Setting up SPF Records are easy, whether you are running tinydns, BIND, or even (heaven forbid) Windows DNS.

Also of note is the DomainKeys standard I believe was developed by Yahoo. Basically it involves using encryption keys to sign e-mails. The public key is stored in DNS, and the mail server places a signed header on each outbound message. The implementation is a bit more complicated than SPF, but it is something that everyone running a mail server should do.

If you are running a mail server, also make sure that your server has reverse DNS set up. I deny any messages coming from servers with no reverse DNS set up and a lot of other people do to.



Sender Policy Framework Commentary
 
©2006 Steve Kallestad
All Rights Reserved
Terms under which this service is provided.
Read our Privacy Policy. Contact
» RSS and XML search
 A Steve Kallestad Site