1

I'm trying to set up SPF for our domain to prevent or reduce spoofing. The difficulty I'm having is with how to look at any particular email and determine if it would pass SPF.

We of course know which internal mail servers we have that are sending mail for our domain. The problem is finding the external ones, like constant-contact, etc, that have been used by the marketing folks to send mail as users in our domain that should be included in our SPF record.

I understand it analyzes the "MAIL FROM" data and references it with the IP address of the connecting server. Often times I see "MAIL FROM" something like "user@ac.example.com" but the mail is actually "From:" user@example.com" yet it passes SPF.

When checking to see if a particular email would pass an SPF test, how is the "From:" field considered, when "MAIL FROM" is the real return-path sender?

Alex Regan
  • 143
  • 5
  • 2
    SPF-checking only use `MAIL FROM` portion not `From:` header. See http://serverfault.com/questions/369460/what-are-spf-records-and-how-do-i-configure-them – masegaloeh Sep 25 '15 at 05:37
  • As masegaloeh says, SPF has nothing to say about the `From:` header; that is entirely down to DMARC. It acts only on the `MAIL FROM`, aka envelope-from, field. – MadHatter Sep 25 '15 at 06:20
  • So it's still possible for someone to send an email pretending to be "From: user@domain.com" even though they have an SPF record? It hasn't been my experience where mail is rejected just for failing an SPF check. – Alex Regan Sep 25 '15 at 14:05
  • -all reject hasn't gotten the respect it deserves from many large mailbox provides, you may want to use dmarc policy reject once you are established – Jacob Evans Sep 26 '15 at 13:44

2 Answers2

2

Easy, set up a dmarc policy. I recommend dmarcian as a xml parser for those reports. DMARC was designed specifically for this, Authentication and REPORTING!! Set your policy to none so you don't reject any emails yet. Example:

_dmarc.example.org. IN TXT "v=DMARC1; p=none; rua=mailto:zskpakdq@ag.dmarcian.com;"

If you want to start checking if your SPF matches without causing errors in flow, use 

?all

Also, if you are doing to use dmarc ongoing, you'll want to start signing your mail with domain keys (dkim), which will help you manage forwarders.

Jacob Evans
  • 7,636
  • 3
  • 25
  • 55
1

SPF just checks that an email originated from the server IP ip4:a.b.c.d listed or if it is an mx record mx a of a domain.

It does not verify the @example.com part.

So if @example.com mail server is 1.1.1.1 and mail sent was from server 1.1.1.1 your mail server would accept it. However, if mail was actually sent from 1.1.1.2 it would be flagged as SPAM.

Since spammers don't have access to the domains DNS records, using SPF records helps verify the originating servers.

exxboast7
  • 51
  • 2
  • 8
  • 1
    Thanks so much for your help How about from the case where I'm receiving mail from my own domain from an external server? I don't understand the role "MAIL FROM" plays in this. You don't mention anything about that aspect of how it works. – Alex Regan Sep 25 '15 at 01:38
  • Your server must do a sender validation or SPF check. This is done by your spam filter is most cases. – Jacob Evans Sep 26 '15 at 13:33
  • @AlexRegan mail from:example.com means that the txt record from example.com is uses for spf. – Jacob Evans Sep 27 '15 at 19:04