How to : Prevent spammers from spoofing your domain with SPF
Spam going trough you mail system to your end users is only part of the spam problem. There is another part called domain or email spoofing.
Here is the definition of domain spoofing from answers.com :
The unauthorized use of a third-party domain name as the sender’s name in an e-mail message. Most often used by spammers, spoofing the name of a popular retailer or organization entices the recipient to read the full message.
Some negative effect of email spoofing of your domain are bad publicity, flood of bounce notification for emails you did not send, possibly phishing of your e-commerce site and spam getting to your end users because of white listing of you own domain in your spam filter.
There are 3 main methods of preventing spoofing :
- Sender Policy Framework (SPF records)
- Sender ID Framework (SIDF) (Microsoft’s implementation of SPF)
- DomainKeys Identified Mail (DKIM)
In this post I will explain how to use SPF records since it is the easiest to setup and the most widely adopted of the three mechanism. This goal of this post is to get you started with SPF records and help you start design a record for your domain and is far from covering the whole complexities of mail servers and authentication mechanism. For more advanced information I encourage you to read trough the links posted at the end of this post.
A SPF record is a text record for your domain name specifying which servers are allowed to send mail for the domain. This is why it is important to do a good evaluation of your network for all the possible sources of email for your domain. This includes but is not limited to website confirmation mail, mobile devices (BlackBerrys, Palm, etc) and Internet load balancer (more on that later).
Once you have defined all the sources of email (IP and DNS name) you can start creating the SPF record. I will be using example.com with the following records.
example.com MX 10 mx1.example.com
example.com MX 20 mx2.example.com
mx1.example.com A 111.111.111.25
mx2.example.com A 111.111.111.26
www.example.com A 111.111.111.80
Considering that mx1.example.com, mx2.example.com and www.example.com send email from example.com we would create the following spf record :
"v=spf1 mx ip4:111.111.111.80 -all"v=spf1
All SPF record should begin with this
mx
This is a alias including all the servers in mx records (in this case mx1.example.com and mx2.example.com)
ip4
This specify another valid outgoing server by IP, we can also add the mask to this so if we wanted to allow the whole 111.111.111.0 subnet to send mail we would have written ip4:111.111.111.0/24.
-all
The “-” means that the following host is denied to send mail for our domain. “all” will match everything
A receiving server looking up the spf record will try to match the conditions from left to right, this is why we put -all at the end, to make sure any host not specifically mentioned before is denied.
Now our records would look like this :
example.com MX 10 mx1.example.com
example.com MX 20 mx2.example.com
mx1.example.com A 111.111.111.25
mx2.example.com A 111.111.111.26
www.example.com A 111.111.111.80
example.com TXT "v=spf1 mx ip4:111.111.111.80 -all"
When using a Internet load balancer, outgoing mail may pass trough different IP when leaving your internal network and if only one of the wan IP is in the SPF record then you may experience mail bouncing back because of SPF failure (Trust me, I learned it the hard way). In this situation you can either put all your wan IPs in the SPF record or use only one and force outgoing smtp traffic to pass through the allowed IP.
If you are using your ISP’s smtp server as a smarthost for you mail server make sure to add it to the spf record too since the smart host will be considered the sending server.
You can read the links below for more information on email authentication and the different mechanism available. On www.openspf.org you will find tools to help you design you record, a full page describing the SPF syntax and tools to test your SPF records. I also included links to SenderID and DKIM sites.
Links
http://en.wikipedia.org/wiki/E-mail_authentication
SPF
http://www.openspf.org/
http://en.wikipedia.org/wiki/Sender_Policy_Framework
DKIM
SenderID
http://en.wikipedia.org/wiki/Sender_ID
Implementation Tips for the Sender ID Framework—Creating Your SPF Record
