SPF

From DreamHost

(Redirected from Sender Policy Framework)
Jump to: navigation, search

Contents

Background Information

SPF, or Sender Policy Framework, helps stop spammers from masquerading as you!

SPF info is a DNS record that says “I only send e-mail from these machines – if it’s not from one of these, it’s fake!

To be all geeky, it fights return-path address forgery and makes it easier to identify spoofed e-mails. This is because domain owners identify all mail servers that send e-mail on their behalf within their DNS entries. Mail servers that receive SMTP e-mail verify the envelope sender address against the information in DNS, and thus can distinguish between authentic messages and forgeries before any message data is transmitted.

Dreamhost doesn’t use SPF records for its own domains, but you can add them manually, which is easy!

Adding SPF Information Manually

SPF uses text, or TXT, DNS records to provide information. It’s possible to add these records manually from the DreamHost Control Panel. Convenient, no?

  1. Visit the Manage Domains page in Control Panel, and click the "[DNS]" link for the domain you wish to edit. You'll be taken to the domain management page.
  2. In the "Add a new DNS record..." box, verify that the correct domain appears.
    • Keep in mind that SPF treats subdomains (such as sub.example.com) as separate – see SPF subdomain FAQ.
    • Thus you may wish to specify SPF records both for example.com (leave host name empty – it may appear as .example.com) and any hosts like yourhost.example.com – wildcards for TXT aren’t supported by DreamHost, and are discouraged anyway in RFC 4408 §3.1.5.
  3. Paste the following SPF command in the "Value:" text box;
    add a comment if you wish, such as “SPF (Sender Policy Framework)”. 
v=spf1
ip4:64.111.100.0/24 ip4:66.33.201.0/24 ip4:66.33.216.0/24
ip4:208.97.132.0/24 ip4:208.97.187.0/24 ip4:208.113.200.0/24 ip4:208.113.244.0/24
mx -all
  1. From the "Type:" pulldown, choose "TXT"
  2. Click the "Add Record Now!" button.

Warnings and details

This record says:

  • This is an SPF version 1 record (v=spf1),
  • only accept messages that come from the following IP address ranges (formally, CIDR, Class C: ip4:.../24), which include the DreamHost mail server addresses,
  • or the IP associated with the MX record (mx),
  • otherwise FAIL (-all).

Modifications you may wish to make:

Add web server or 3rd party IP addressses
This list only includes DreamHost mail servers; if you send mail directly from other DreamHost machines (such as your webserver), you should add its IP address (or better, an address range) to this list. Similarly, if you send email from a third party (like, oh, I dunno, Gmail), you’ll need to add those too – see discussion at Third Party SPF Records, below.
~all during testing
You may wish to use ~all during testing for SOFTFAIL. However, SOFTFAIL is only intended for debugging: a SOFTFAIL result will generally result in servers accepting the message but marking it as a forgery (hence spam). This means that it will be passed (which is useful for testing), but it may be caught in spam filters, without any warning to the sender, which means your legitimate mail may be flagged as spam; see SPF FAIL rejection for details.

Future

It has been observed (Dreamhost SPF Record request.) that if and when DreamHost publishes its own SPF records, you won’t need to include the above list of IP addresses, because you’ll be able to write: 

v=spf1 include:dreamhost.com a mx ptr -all

(plus any 3rd party hosts) and then it will be updated automatically! Only time will tell – stay tuned for the next exciting episode in the DreamHost SPF saga!

Checking configuration

Checking envelope sender

A subtle point, if sending from host.yourdomain.com, is whether your email client is sending MAIL RCPT as user@host.yourdomain.com or as user@yourdomain.com (does it include or exclude host?) – this is an issue if you can’t set (or don’t want to set) an SPF record for each host, for example if using dynamic DNS where your actual host record is a CNAME – and the dynamic DNS registrar doesn’t provide TXT records.

You can check which MAIL RCPT is being sent by sending an email to an email address that does SPF validation, such as Gmail, and then checking the smtp.mail field in the Authentication-Results: header. How to change this depends on the client, and may be tricky.

Checking your SPF information

OpenSPF.org has a useful page, "I manage my own domain(s) and I want to publish/fix my SPF record". This is part of their SPF FAQ. They link to an SPF Validator which gives useful diagnostics on your SPF record.

Note that, when you change your SPF information, it can take a few hours for the changes to propagate sufficiently for the SPF Validator to see them.

Third Party SPF Records

Many Dreamhosters use third party mail systems including outsourcing their mail to Google Apps or using mass-mailing systems like Mailchimp to send newsletters. In these cases it is important to adjust your SPF record appropriately or you can experience lost emails. Here are a few links to resources to help you create a more robust SPF record.

DKIM

SPF fighting envelope sender (SMTP’s MAIL RCPT) spoofing – to fighting “From:” spoofing, you use DKIM instead! In fact, you can use both! (Kinda like wearing a belt and suspenders.) However, since spammers are not very creative people (other than in the number of ways to spell “Herbal Viagra”), they usually use the same address for both MAIL RCPT and for From:, so either SPF or DKIM works.

However, SPF and DKIM have other benefits, and are complementary, so go ahead, be stylish – use them both!

See also

Related Sites

Retrieved from "http://wiki.dreamhost.com/SPF"
Personal tools