The Sender Policy Framework ensures, that email sent from a domain is allowed to be sent from the server, it is origination from.
In the past, it was quite easy to spoof a email sender domain (for example from bill.gates@microsoft.com). Since this was quite a huge problem for companies and even the whole internet communication, SPF was introduced. SPF ensures, that the servers sending mails for a certain domain, are fully qualified and allowed to send emails for that domain. An attacker might not be able to spoof your company’s email address to send “faked” information to other people.
Implementing SPF is quite easy and does not cost any single bit of a coin. We are talking about a DNS Lookup (which is done by your system to verify other systems sending servers approval) and a DNS Record on your domain, to tell other people the server(s) you are trusting to send email for you.
Sounds easy ? – it is !
This HOW-TO gives you a step by step instructions on how to enable SPF for your email system and your domains.
Part1: enable checking on your postfix system to not retreive forged domain spam
Part2: secure your domain(s), so an attacker is not able to abuse your domains any more for spoofed emails
Further reading regarding SPF can be found here: www.openspf.org/Introduction
Part #1 – SPF – verify incoming email on your mailserver (postfix)
To ensure, your mailserver would not get hit by emails from forged domains, SPF checking is the thing you want to enable.
This does NOT protect your domains from being sent from a foreign server – this blog entry just enables your server from accepting forged domain spam.
Step 1
Install the SPF Checker for postfix
apt-get install postfix-policyd-spf-python
Step 2
edit your /etc/postfix/master.cf
policyd-spf unix - n n - 0 spawn
user=policyd-spf argv=/usr/bin/policyd-spf
Step 3
edit your /etc/postfix/main.cf
policyd-spf_time_limit = 3600 smtpd_recipient_restrictions = ... reject_unauth_destination, check_policy_service unix:private/policyd-spf, ...
Make sure, you are putting the check_policy_service unix after the reject_unauth_destination line, to not become an open relay to the world.
Step 4
Finally, do not forget to reload / restart your postfix
/etc/init.d/postfix restart
Step 5
If you find the following in received Email Headers, your SPF is working properly
Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=209.85.216.181; helo=mail-qt0-f181.google.com; envelope-from=yourmailaddress@gmail.com; receiver=info@miyw.de
Step 6 (optional)
instead of blocking wrong SPF Senders(default behaviour), you can just let python-spf tag them for spamassasin
edit /etc/postfix-policyd-spf-python/policyd-spf.conf and set
HELO_reject False Mail_From_reject False
this will accept Emails with wrong SPF but SA will mark them as spam afterwards.
(all steps have been tested on debian8 jessie)
Part #2 – Protect your own domain(s) with SPF records
Protecting your domain(s) with SPF
Step 1
Create a TXT Record in for domain – the simpliest way to achieve that would be as follows:
v=spf1 mx -all
This line as TXT record implies that for all servers listed in your domain as MX records are allowed to send mail (mx) and all other servers are declined (-all).
another example could be the following:
v=spf1 mx a:mail.miyw.de -all
This line allows all mx records as well as the additional domain (a:mail.miyw.de) to send email , once again all other servers are declined (-all).
Find the whole “spf Record” syntax explained here: www.openspf.org/SPF_Record_Syntax
One more cool thing is this litte Site – a SPF Record generator.
Step 2
TEST – double and yes – triple test your settings !!!
Send Emails from the Domain you just protected by SPF to a whole bunch of mail servers.
As Test we sent an email from our domain (info@miyw.de) to a gmail account and got the following line in our header:
spf=pass (google.com: domain of info@miyw.de designates 31.7.178.74 as permitted sender) smtp.mailfrom=info@miyw.de
Awesome – Hu ?
This little page could help you, as well: mxtoolbox.com
any questions ? go ahead and write us !
a good read ahead: https://www.skelleton.net/2015/03/21/how-to-eliminate-spam-and-protect-your-name-with-dmarc/
Leave A Comment
You must be logged in to post a comment.