We need to create a new subdomain outgoing.fripost.org
which A and AAAA records point to machines currently serving as outgoing SMTP servers. Then we would add the following records to the DNS zone (RFC 4408 section 3.1.1 recommends both SPF and TXT records, with identical content.):
outgoing.fripost.org IN SPF "v=spf1 a ~all"
outgoing.fripost.org IN TXT "v=spf1 a ~all"
fripost.org IN SPF "v=spf1 redirect=outgoing.fripost.org"
fripost.org IN TXT "v=spf1 redirect=outgoing.fripost.org"
That essentially means whenever someone receives a message from a @fripost.org
address, we can say the address hasn’t been spoofed (or been spoofed by another fripost member) if the message was originating from outgoing.fripost.org
(i.e., was sent from the webmail, the Mail Submission Agent, or was the target of an alias or subscribed on a list). Otherwise, things are like there wasn’t an SPF policy. With that information at hand, the recipient may decide to classify the message as SPAM or HAM for instance.
If we were to disallow (we probably aren’t) messages from @fripost.org
addresses to be sent from anything else than what outgoing.fripost.org
points to, we could replace the trailing ~all
(softfail) by -all
(fail).
Having an SPF policy for Fripost is also useful for domains using fripost.org as MX:es. For instance, to allow @example.org
messages to be sent from either fripost.org
’s outgoing machines (without knowing what they are a priori, therefore the SPF policy is copied) or example.org
’s A/AAAA records, but nothing else:
example.org IN SPF "v=spf1 ?include:fripost.org a -all"
example.org IN TXT "v=spf1 ?include:fripost.org a -all"
Hopefully one day we’ll have DNSSEC, defeating DNS-spoofing. The the qualifier could be changed to something tighter:
example.org IN SPF "v=spf1 include:fripost.org a -all"
example.org IN TXT "v=spf1 include:fripost.org a -all"
Here too the default action -all
(fail) could be replaced by ~all
(softfail) to allow mails from @example.org
addresses to be sent from other locations, but without asserting they aren’t spoofed in that case.
If example.org
’s has no A/AAAA records, or if the machine they point to are not supposed to relay mails to the outside, one may prefer to merely copy our policy:
example.org IN SPF "v=spf1 redirect=outgoing.fripost.org"
example.org IN TXT "v=spf1 redirect=outgoing.fripost.org"
References: RFCs 4408 and 6652; See also the Wikipedia page.
Last modified | History | Source | Preferences