User Tools

Site Tools


how_to:sender_policy_framework

Sender Policy Framework / SPF

SPF is a system used to tell mail servers which IP addresses can send mail from which domains. It is designed to reduce 'spoofing' of email addresses. For instance, if you receive an email message from your bank, your mail software can check that it came from an IP address authorised to send mail from your bank, and treat the message with suspicion if it didn't come from an authorised IP address.

SPF is described in detail at http://www.openspf.org so that is a good place to look.

There are two sides to the SPF system:

  1. configuring SPF to indicate the approved IP addresses for sending mail. This is useful to help reduce the impact of messages sent pretending to come from your domain name.
  2. checking SPF on incoming mail. This is useful for reducing the reception of spoofed email.

Configuring SPF for sending mail

If you want to set up SPF so that other mail software will know which IP addresses can send mail from your domain, this is configured in your DNS settings for your domain, not in your email server. When someone receives an email from your domain, they will look up a TXT or SPF DNS record for your domain name (the bit after the @ sign in your email address) and check the rules defined there against the IP address the message came from.

It can be quite complicated to define the SPF record for your domain, depending on how outgoing email is sent (via relay servers, etc). Your ISP may be able to help, or you can read this introduction to the SPF record syntax.

We can help you set up the SPF record for your domain. This costs £30 + VAT for us to research the required settings for you. Note that we cannot actually set up the SPF record unless you can give us access to your domain DNS hosting account, but we can usually tell you what you need to do so that you can do it yourself (or you can give us access to your domain hosting account if you wish)

Configuring VPOP3 to check SPF on incoming mail

Note that SPF only works with direct incoming SMTP. If your mail goes through another mail server (eg a POP3 server, or mail filtering service, or even just a backup MX server) before reaching VPOP3, then that server has to perform the SPF checks. VPOP3 can't do the checks in this case, because the IP address that it sees the message coming from is this other mail server, not the original sender.

To enable SPF checks, go to Services → SMTP Server → Spam Reduction, and check the boxes Enable SPF Support and Skip SPF checks for local/authorised senders.

This will make VPOP3 add Received-SPF and Authentication-Results headers to incoming messages, with the SPF test results.

To affect how the VPOP3 spam filter treat SPF results (requires VPOP3 v6.11 or later), you need to go to Settings → Spam Filter → General, and then the Rule Weights tab. Check the 'SPFxxxx' rules. The rule weights are multiplied by 100 and applied to the spam score.

how_to/sender_policy_framework.txt · Last modified: 2018/11/14 10:45 (external edit)