So after a few people read my last phlog entry, I've been asked to explain
spf.  I won't try to explain it all about spf, that is for the people at
openspf.org to do.  I'll try to explain it from my point of view, which is that
of a guy running his own outbound smtp server and wanting his emails to get
accepted by all the other smtp servers out there.

I always believe it's good to start by asking "what's it for,"  If it's just a
thing we are made to do, then nobody wants to do it.  But if we can understand a
benefit to doing it, well then we may want to do it to chase that benefit!

SPF stands for "Sender Policy Framework."  This means, that this is a way for
domain-owners to publish their policy on who is a valid sender of email for
the domain they own. In the old days of email you would just set your from
address and that was that, it was a no questions asked thing.  But then the
spammers came along and began setting that from address as part of their
campaign of fooling people into reading their messages.  So you get an email
from a friend or a boss or a known coworker or even yourself, and you open it
only to read a message you didn't want about purchasing some herbal viagra or
something.  So a way had to be said to say "only these senders can send email
claiming to be from here."

Of course, you can see, this breaks some applications of email forwarding.
Being a butcher by trade, I used to have a forwarder at Jason Scott's domain,
cow.net.  Specifically, I was "mad at cow dot net."  I even put this in my from
header, and sent email like that.  My ride ended months later when some spammer
decided that my cool email address would be the perfect from header for his
spams, and I began to get all kinds of weird bounces and complaints about his
spam.  Now with spf, Jason could declare, "only my email server at such-and-such
mail exchanger is a valid sender of cow.net email and all others should be
rejected."  Even then, it would have been up to Jason as to wether or not to
include my smtp server on that authorized list.  I very well could have been
left out in the cold anyway.  So when it comes to spf, start out by thinking in
terms of domains you own and what servers can send mail into the internet with a
from header that refers to a domain you own.

So, let's look at everybodies first spf record, "v=spf1 +a +mx ~all".  How to
interpret this?  Well, spf is read from left to right, so we start with
"v=spf1," which is just a declaration of what this record is, which is an spf
record written to the standard of version 1."  What follows is a space-seperated
list of actions and mechanisms.  So in "+a" the plus means "accept email" and
the a is "the a record of this domain."  So if the domain is "email.domain" and
it's spf record is "v=spf1 +a -all" this (which is the same as "v=spf1 a -all,"
since the plus can be assumed) means "if you get an email that claims to be from
email.domain, accept it if the dns lookup for the a record for domain.com is
where it came from, if that doesn't match, reject all other emails."  This can
also be said as "v=spf1 +a:email.domain -all".  Changing the end to ~all  means
"softfail," which means it just gets marked and moved to the spam folder.

How about that "+mx?" You guessed it, the mx record of that domain!

The other thing you need to know is that you are allowed 10 mechanisms, with
straight ip address not included.  It is evaluated in order left to right, and
if you run ever 10 items, the thing fails and is invalid.

So let's look at a real example...
dig gnu.org txt
..snip for brevity...
gnu.org.                300     IN      TXT     "v=spf1 ip4:140.186.70.0/24
ip4:208.118.235.0/24 ip4:209.51.188.0/24 ip4:46.43.37.64/27 ip4:74.94.156.208/28
ip6:2001:4830:134::/48 ip6:2001:470:142::/48 ip6:2001:41c8:20:2d3::/64 ~all"

Here we see that gnu.org chose to list ip address ranges as valid email senders.
Indeed, doing a
dig gnu.org mx
.. snip for brevity...
gnu.org.                300     IN      MX      10 eggs.gnu.org.
shows their mail exchanger is eggs.gnu.org.  That traces to
64 bytes from eggs.gnu.org (208.118.235.92): icmp_seq=1 ttl=55 time=10.3 ms

and 208.118.235.92 is presumably in ip4:208.118.235.0/24.

Now in my case, I decided to go back to using a shared hosting providors
servers, so I had to contact them to get their spf record.

v=spf1 +mx +a +include:websitewelcome.com
+include:unifiedlayer.com ~all

So what's with the mechanism "include?"  Well, that means to use their list as
well as your own.  It turns out after a few dig commands, that thier list is a
nested list of other groups of ip addresses.  So remember when I said you have
10 mechanisms?  Well, if I put the name of my email sending domain at the end of
their record before the -all, then I do run out of lookups and it never gets
there.  So to add to that spf record I make my spf record thus "v=spf1 +mx
+a:machinename.mydomain.tld +include:websitewelcome.com ~all"  This way, the
contents of my designation are checked first, then what my email providor
includes next.

The last means I want to mention is a way to check spf email, with an email
verifier.  The company port25.com, which makes a commercial mta, keeps a
verifier on the internet.  If you send an email to
[email protected] they will email you back a report as to how your
record checks out.

I hope you found this textfile informative!

You are viewing proxied material from gopher.info-underground.net. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.