Q. How do I configure Sender Policy Framework (SPF) anti spam forgery system under Redhat Linux BIND server? I was advised to configure SPF for our corporate domain to identify and reject forged addresses in the SMTP MAIL FROM (Return-Path), a typical nuisance in e-mail spam.
A. Spammer always tries to spoof e-mail. Normal SMTP allows any computer to send an e-mail claiming to be from anyone. Thus, it’s easy for spammers to send e-mail from forged addresses. This makes it difficult to trace back to where the spam truly comes from, and easy for spammers to hide their true identity in order to avoid responsibility. Many believe that the ability for anyone to forge sender addresses (also known as Return-Paths) is a security flaw in modern SMTP, caused by an undesirable side-effect of the deprecation of source routes.
Steps to configure Sender Policy Framework
First, you need to access to DNS server zone files. Some domain registers / ISPs provides front end (control panel) to define SPF records. You need to set a TXT record by editing zone file. It allows you define real IP address of your mail server and other hosts such as webserver.
Set SPF for a domain called theos.in
Open your dns zone file such as /var/named/data/zone.theos.in and append something as follows:
@ 86400 IN TXT "v=spf1 a mx ~all"
theos.in. IN TXT "v=spf1 a mx ~all"
Save and close the zone file. Restart bind:
# service named restart
- v=spf1 : Define an SPF recored.
- a : theos.in IP address is xx.yy.zz.eee and that server is allowed to send mail from theos.in.
- mx : theos.in has one MX server called smtp.theos.in. It is allowed to send mail from theos.in.
- ~all : SPF queries that do not match any other mechanism will return “softfail”. Messages that are not sent from an approved server should still be accepted but may be subjected to greater scrutiny. If you need tight control replace ~all with -all (hard fail).
For example, following recored the “a” and “mx” specify the systems permitted to send messages for the given domain. The “-all” at the end specifies that, if the previous mechanisms did not match, the message should be rejected.
sxi.io. IN TXT "v=spf1 a mx -all"
Large network setup
Let us say you have a corporate domain called nixcraft.com with static IP network 22.214.171.124/28. All IPs in this range can send an email. Your email server is called smtp.nixcraftmail.com. You need to SPF as follows for nixcraft.com domain:
nixcraft.com. IN TXT "v=spf1 ip4:126.96.36.199/28 a mx ~all"
Also you need to set SPF for nixcraftmail.com as follows:
smtp.nixcraftmail.com. IN TXT "v=spf1 a -all"
tinydns (djbdns) DNS Setup
If you run tinydns / djbdns, enter following:
'nixcraft.com:v=spf1 ip472188.8.131.52/28 a mx ~all:3600 'smtp.nixcraftmail.com:v=spf1 a -all:3600
Test SPF / spf recored lookup
First make sure SPF TXT recored updated using dns client tool such as host or dig:
$ host -t txt domain.com
$ host -t txt nixcraft.com
$ host -t txt nixcraft.com ns1.isp.com
If your SPF configured correctly webmail service such as Gmail or Yahoo mail can display spf result by viewing email headers:
(Fig. 01: SPF in action – Gmail confirms email is send by my own server [ mailed-by sxi.io])
To view email headers click on Reply down arrow > Show original:
Received-SPF: pass (google.com: domain of [email protected] designates 184.108.40.206 as permitted sender) client-ip=220.127.116.11; Authentication-Results: mx.google.com; spf=pass (google.com: domain of [email protected] designates 18.104.22.168 as permitted sender) [email protected]
Microsoft 2000 / 2003 / 2008 DNS SPF Configurations
If you run Microsoft DNS server, see these instuctions.
Sample BIND zone file for sxi.io domain
$ORIGIN sxi.io $TTL 86400 @ IN SOA ns1.sxi.io. vivek.sxi.io. ( 2008020302 ; Serial 3600 ; Refresh 300 ; Retry 604800 ; Expire 3600) ; Minimum @ 86400 IN NS ns1.sxi.io. @ 86400 IN NS ns2.sxi.io. @ 3600 IN MX 10 smtp.sxi.io. @ 86400 IN TXT "v=spf1 ip4:22.214.171.124/28 a mx ~all" feeds 86400 IN CNAME feeds.feedburner.com. * 3600 IN A 126.96.36.199 @ 86400 IN A 188.8.131.52 rd 86400 IN A 184.108.40.206 www 3600 IN A 220.127.116.11 vpn 86400 IN A 10.10.2.5
- Wizard based system to set SPF
- Test SPF online
- Wikipedia SPF article
- BIND DNS Server
- djbdns DNS Server
- Microsoft DNS server specific SPF instructions