Sender Policy Framework - SPF - Yaritz Consulting: The Consultation Company  


SPF (Sender Policy Framework)

UCE (Unsolcitited Commercial Email, formerly known as spam) is a problem in today's world.  Everyone has been unindated with unwanted emails that they did not request or may not even want to see.  UCE is nothing more than unwanted email you have received which you did not start the conversation.  Due to the ULAs of websites (User License Agreement), this does not include webforms which you may have forgot to check the "don't send me stuff" box on their signup form.  Signing up for email by giving your address out is your problem and should be dealt with the website used to signup for the email accordingly.

With that in mind, UCE is a growing problem with many solutions.  (Once an email is accepted, how do you know who to sent it back to?  The simple answer is you don't.  Most of UCE has falsified "sender" addresses.)  The best advice so far is to block UCE at your incoming border email server while it is being sent.  If you do happen to accept a message, you cannot reliable send a bounce back to the sender as you do not know the proper address.  This means you should put the measures to block UCE into the servers that your public DNS MX records directly point to.  Please note that this will mean all the public servers, not just your primary email server, but including the backup servers!  That aside, blocking email can be done in a few different ways.  SPF is useful as it take the RBL style to a whole new level by blocking based on the sender's e-mail address instead of the IP address.  Sender can then send email from any host, effectively requiring authentication to the companies sending servers.

SPF is protects email using two methods.  The first that we will talk about is outgoing email:

  1. Create a DNS TXT record for the domain you want to protect.  (This does not work recursively.  weber.edu means it will only block weber.edu.)
  2. This TXT record will contain similar to the following: "v=spfv1 mx a -all" (This record says it is SPF version 1, allow MX and A records, and block all else.  That is the meaning of the - in front.  This, +all, will force an allow of all.  Leaving the +/- sign off means that you will use the default option of allow this site to send email as you.)

Server installation instructions:

  1. Install an SPF package of your choice.
  2. Now enable this package on your email server.
  3. Test your installation.  (This testing should happen from another email account such as http://mail.yahoo.com that has a SPF record.)

Now SPF can protect your domain and incoming email by allowing a server to spend it time on valid email.  It works by turning away known UCE offenders and savings resources for other valid emails.  This type of UCE elimination works based on the DNS record of the sender.

More information

For Consulting information and other questions, click here