The Sender Policy Framework (SPF) filter identifies and blocks spam with forged senders. This article describes how the filter can be used to effectively identify and block emails originating from forged senders.
The Sender Policy Framework filter uses SPF records to stop email sent from forged IP addresses by identifying if the sender IP address is authorized. SPF is a community-based effort, which requires that the senders publish the IP addresses of their mail servers in an SPF record.
This filter is part of the Anti-Spam Engine (ASE) chain as shown in the illustration below. The order in which the various modules scan an email is configurable and can be altered from the MailEssentials Configuration > Anti-Spam > Filter Priority.
The Sender Policy Framework (SPF) is a community-based effort, which requires senders to publish their mail servers in an SPF record. Whenever an email is received, a check is made to see if the server which sent it is allowed to send emails on behalf of the sender's domain. The purpose of this filter is to detect forged senders. More information regarding the Sender Policy Framework (SPF) can be found at this external website dedicated to the SPF Project: http://open-spf.org/
Example: If an email is sent from xyz@CompanyABC.com then companyABC.com must publish an SPF record in order for SPF to be able to determine if the email was really sent from the companyABC.com network or whether it was forged. If an SPF record is not published by CompanyABC.com, the SPF result will be ‘unknown’ or 'none'.
For SPF to work, the sender's domain ('CompanyABC.com' in this example) must publish, via DNS TXT records, the hosts which are allowed to send email on its behalf.
The procedure to publish an SPF record for your domain is outside the scope of MailEssentials. You can refer to documentation from your DNS host on how to create the SPF record but at a high level the process usually involves the following steps:
- Determine domain name which is used to send emails to the internet
- Determine the public IP address(es) that are used to send emails
- Create your SPF
- Publish the SPF record in your DNS Server
This linked article provides additional details on How to Create a Sender Policy Framework (SPF) Record. However, MailEssentials does not make it a requirement to publish an SPF record.
SPF checks the last external IP. If MailEssentials is installed on a machine in the perimeter then the last external IP is easily obtainable by checking the IP of the mail server that connected to Internet Information Services (IIS).
If MailEssentials is not installed on the perimeter server, you need to configure the perimeter SMTP servers that are receiving emails from the internet. GFI MailEssentials will parse the message headers for the 'Received lines' which will contain the IP addresses of the servers from where the message has passed.
The SPF module makes use of SPF DNS records to check if the SMTP server connecting to IIS is allowed to send emails for the sender’s domain.
When the SPF module checks the validity of an email, it will need the IP address of the connecting mail server and the sender’s domain extracted from the SMTP sender email envelope. After performing a DNS query, the results may be one of the following:
Results when interpreting valid records:
published data is explicitly inconclusive
the <ip> is in the permitted set
the <ip> is in the not permitted set
the <ip> may be in the not permitted set
Results from error conditions:
no published data
transient error during DNS lookup or other processing
unrecoverable error during processing, such as an error in the record format
If the result is "Fail", then an additional reason is returned.
If the reason is "Not Permitted", then an explanation string is also returned. The explanation string may be empty.
Domain Does Not Exist
Blocking of the message by MailEssentials depends on the setting that is chosen in the MailEssentials configuration. The SPF results that are blocked by each setting are listed in the MailEssentials SPF configuration window when the setting is chosen. The options are:
- Block SOFT FAIL result
- Block SOFT FAIL, Neutral, Unknown and NONE results
|Block SOFT FAIL result
Blocks all emails which:
|Block SOFT FAIL, Neutral, Unknown and NONE results
Blocks all emails which:
Further details about the different results in Sender Policy Framework are provided in this linked article: What are the different results in Sender Policy Framework?
- Emails originating from the local host (127.0.0.1, or localhost) are not checked by the SPF module. Localhost is always allowed to send emails by the SPF filter. The other Anti-Spam checks are still done.
- The SPF module is passed the IP address of the sending mail server, the email address that is specified in the envelope from (MAIL FROM), and the text that is specified after the ‘Helo’ command by the sending mail server. Only if the envelope from information is missing, the information specified after the ‘Helo’ command will be used
- When checking the SPF record, one should note the sign next to the “all” keyword, which should be found at the end of the SPF record.
If it is “–all”, emails sent from all other ip addresses not listed in the SPF record will result in Fail.
If it is “~all”, emails sent from all other ip addresses not listed in the SPF record will result in SoftFail.
If it is “?all”, emails sent from all other ip addresses not listed in the SPF record will result in Neutral
- Only SPF version 1 records are supported by the current implementation of the feature in MailEssentials. You will notice the version number in the DNS record for the domain – if the TXT record starts with “v=spf1”, then it is version 1. If it starts with “v=spf2(.0)”, then it is version 2, and it is not checked by MailEssentials.
- An SPF record may reference other types of DNS records. For example, the SPF record of gfi.com is "v=spf1 a:mailers.gfi.com ~all". The IP addresses that are allowed to send emails for gfi.com are found in the A record of mailers.gfi.com.
Determining which IP to use for SPF lookup
An email will contain several received lines according to the SMTP hops performed in order to arrive to its destination. It is important that the correct IP is used to perform the SPF check. This IP must be the external IP that connects to the internal SMTP server for the first time.
Keep in mind that the EmailPrefetch module takes care of all the functionality required to extract and list the IPs from the received headers of the email being processed. The EmailPrefetch debug log will list all the email addresses which will be iterated for the SPF check. If there are Perimeter SMTP servers set in the configuration, the following logic is followed:
- It is important to note that all public perimeter IPs should be included in the GFI MailEssentials configuration as MailEssentials will search for them when parsing message headers.
- Confirm which DNS-server MailEssentials uses. In most cases, this will be an internal DNS server. If you have an external zone in your internal DNS server, then you need to set up the SPF-record for your domain in the DNS-record of your internal DNS server as well as the external one.
- The SPF filter is NOT enabled by default and it is recommended to enable this option and to have this filter running prior to the Email Whitelist so as to block forged senders before these are whitelisted.
- Enabling the Sender Policy Framework
- How to check and read a Sender Policy Framework record for a domain
- How to determine why the Sender Policy Framework spam filter blocked or allowed a message
- How to create a Sender Policy Framework (SPF) record
- What are the different results in Sender Policy Framework?