Fripost wiki » tracker » Publish an SPF policy to the DNS zone »

We need to create a new subdomain outgoing.fripost.org which A and AAAA records point to machines currently serving as outgoing SMTP servers. Then we would add the following records to the DNS zone (RFC 4408 section 3.1.1 recommends both SPF and TXT records, with identical content.):

outgoing.fripost.org IN SPF "v=spf1 a ~all"
outgoing.fripost.org IN TXT "v=spf1 a ~all"
fripost.org          IN SPF "v=spf1 redirect=outgoing.fripost.org"
fripost.org          IN TXT "v=spf1 redirect=outgoing.fripost.org"

That essentially means whenever someone receives a message from a @fripost.org address, we can say the address hasn’t been spoofed (or been spoofed by another fripost member) if the message was originating from outgoing.fripost.org (i.e., was sent from the webmail, the Mail Submission Agent, or was the target of an alias or subscribed on a list). Otherwise, things are like there wasn’t an SPF policy. With that information at hand, the recipient may decide to classify the message as SPAM or HAM for instance.

If we were to disallow (we probably aren’t) messages from @fripost.org addresses to be sent from anything else than what outgoing.fripost.org points to, we could replace the trailing ~all (softfail) by -all (fail).

Having an SPF policy for Fripost is also useful for domains using fripost.org as MX:es. For instance, to allow @example.org messages to be sent from either fripost.org’s outgoing machines (without knowing what they are a priori, therefore the SPF policy is copied) or example.org’s A/AAAA records, but nothing else:

example.org IN SPF "v=spf1 ?include:fripost.org a -all"
example.org IN TXT "v=spf1 ?include:fripost.org a -all"

Hopefully one day we’ll have DNSSEC, defeating DNS-spoofing. The the qualifier could be changed to something tighter:

example.org IN SPF "v=spf1 include:fripost.org a -all"
example.org IN TXT "v=spf1 include:fripost.org a -all"

Here too the default action -all (fail) could be replaced by ~all (softfail) to allow mails from @example.org addresses to be sent from other locations, but without asserting they aren’t spoofed in that case.

If example.org’s has no A/AAAA records, or if the machine they point to are not supposed to relay mails to the outside, one may prefer to merely copy our policy:

example.org IN SPF "v=spf1 redirect=outgoing.fripost.org"
example.org IN TXT "v=spf1 redirect=outgoing.fripost.org"

References: RFCs 4408 and 6652; See also the Wikipedia page.

closed


Last modified | History | Source | Preferences

Comments