|SPF Howto: Keep your domain names clean with SPF (Sender Policy Framework), it helps to stop spammers from using your domain names to send spam.|
You can use DNS SPF (Sender Policy Framework) to reduce the amount of spam you are getting but this article is not about this approach. We do not use SPF to filter our incoming mail for spam, we use other techniques and we do not feel the need to use SPF for now. We will write about it if we decide to use SPF to filter our incoming mail in the future.
Nevertheless, we noticed that some spammers used addresses from the domains we manage in the FROM field of the spam. This could be an attempt to get back at us since we systematically report all spam that we get.
Note: Systematically reporting all spam greatly reduce the amount of spam that you are getting. It can take up to 2 months before you start to see the drop in received spam, but spammers DO take your addresses off their list when you report. For them, your addresses behave just like spam traps and spammers DO take spam traps off their list.
So basically, we have added SPF DNS records to the domains that we manage. By doing so, we are letting others know from which machines (IP addresses) mail from our domains comes from. By using "-all" we tell systems using SPF to filter mail to generate an error and to notify the sender. See notes on Wikipedia about using (~all) , (tilde instead of a dash in front of "all") being more problematic.
I noticed that most big providers uses "~all" which generates a soft fail for systems using SPF to filter their mail, meaning no error is generated and that the sender isn't notified on the spot. Worse, the message is accepted hence bandwidth is wasted by allowing the body of the message to be transferred.
The fact that most big providers uses soft fail "~all" in their SPF records might be a sign that SPF doesn't work that well for big providers which have customers that might send email from various network locations. They use soft fail because it is impossible for them to keep track of all possible IP that might send email for the domains they host.
For smaller organization, SPF seems to suit just fine although !!! It is easy to keep track of the machines allowed to send mail for the domains we manage. We ourselves send only mail from our mail exchangers (MX) and we have customers that send email from their ISP which is either videotron.ca, bell.ca or sympatico.ca.
SPF records for the domain we manage :
IN TXT "v=spf1 a mx a:relais.videotron.ca a:mx.videotron.ca a:cluster3.eu.messagelabs.com include:spf1.oc9.com include:spf2.oc9.com -all"
spf1 IN TXT "v=spf1 ip4:184.108.40.206/27 ip4:220.127.116.11 ip4:18.104.22.168 ip4:22.214.171.124/24 ip4:126.96.36.199/24 ip4:188.8.131.52/24 ip4:184.108.40.206/24 -all"
spf2 IN TXT "v=spf1 ip4:220.127.116.11/24 ip4:18.104.22.168/26 ip4:22.214.171.124 ip4:126.96.36.199 ip4:188.8.131.52/24 ip4:184.108.40.206/24 ip4:220.127.116.11/27 ip4:18.104.22.168/25 ip4:22.214.171.124 ip4:126.96.36.199 ip4:188.8.131.52 ip4:184.108.40.206 -all"
We found bell.ca, sympatico.ca and videotron.ca IPs by isuing the following commands:
> set type=TXT
ip4:220.127.116.11/24 ip4:18.104.22.168/27 ip4:22.214.171.124/25 ip4:126.96.36.199
ip4:188.8.131.52 ip4:184.108.40.206 ip4:220.127.116.11 include:spf.messagelabs.com +all"
ip4:18.104.22.168/24 ip4:22.214.171.124/24 ip4:126.96.36.199/24 ip4:188.8.131.52/24
ip4:184.108.40.206/24 include:hotmail.com ?all"
> set type=MX
videotron.ca mail exchanger = 10 mx.videotron.ca.
videotron.ca nameserver = vl-mo-dn010-fae1.mo.videotron.ca.
videotron.ca nameserver = vl-mo-dn011-fae1.mo.videotron.ca.
videotron.ca nameserver = vl-mo-dn009-fae1.mo.videotron.ca.
mx.videotron.ca internet address = 220.127.116.11
vl-mo-dn009-fae1.mo.videotron.ca internet address = 18.104.22.168
vl-mo-dn010-fae1.mo.videotron.ca internet address = 22.214.171.124
vl-mo-dn011-fae1.mo.videotron.ca internet address = 126.96.36.199
bell.ca mail exchanger = 10 cluster3.eu.messagelabs.com.
bell.ca nameserver = dcoczd.bell.ca.
bell.ca nameserver = dmog1a.bell.ca.
bell.ca nameserver = dmog2a.bell.ca.
bell.ca nameserver = toroondcnszs01.srvr.bell.ca.
Since we also send HELO commands with the following hosts when our MX send mail, we also added the following to our DNS (bind,named) zone file, our MX that send mail are master.oc9.com and slave2.oc9.com:
master IN TXT "v=spf1 a -all"
slave2 IN TXT "v=spf1 a -all"
1) Spammer from IP 188.8.131.52 tries to send spam to 184.108.40.206 with
in the FROM field.
2) 220.127.116.11 mail server is using SPF to filter mail so it calls our DNS server and gets the list of IPs authorized to send mail for OC9.COM, e.g. our SPF record.
3) 18.104.22.168 is not on the SPF list so 22.214.171.124 should reject the mail, not allowing the spammer to upload it because we use the "-all" directive.
slave2.oc9.com text = "v=spf1 a -all"
Further scenario testing can be done here . A web based tool allows you to simulate a spammer sending email and it tells you what an SPF filtering enabled system would have done with the email. We have tried with a few valid and invalid IPs and results were as expected. All mail coming from unknown IPs would have returned the FAIL result code according to this test tool. You may also use this other tool.
Nice web based wizard, scans your current configuration and explains it to you and you can also generate the your SPF entry from the wizard. Click Here.
The SPF RFC RFC-4408
|Mis à jour / Last updated ( mercredi, 26 mars 2008 23:44 )|