SPF - that is just limiting what IPs are allowed to relay?

Am I missing something, or is SPF simply a way to say "only clients on the following networks are allowed to send email through this server"?

Which - for a Comcast or someone who owns the IPs for all of its customers, can say "you must be within my network in order to send any emails through me"?

Or am I totally misunderstanding this?

My scenario is I am configuring a Synology NAS to run an email server and I definitely want to allow my laptop to send emails through my SMTP server no matter where I happen to be connecting from.

So if SPF is just limiting me such that I must be within some IP zone before I can send through it - then how is that useful?

Or is it saying that the sender's domain must be within the listed records? such as the sender@foo.bar can only relay through this smtp server is foo.bar is a valid spf record?

I must be misunderstanding something?

Mordachai

Posted 2018-10-16T14:02:49.507

Reputation: 123

Have you already read the Wikipedia Page about SPF? https://en.wikipedia.org/wiki/Sender_Policy_Framework

– konqui – 2018-10-16T14:05:51.660

I'm reading that and a couple of other articles and trying to make heads or tails of it all :) I'm normally a C++ guy, not an SMTP expert, and muh mind is melting! ;) – Mordachai – 2018-10-16T14:17:04.623

Answers

Wikipedia Sender Policy Framework :

Sender Policy Framework (SPF) is an email validation protocol designed to detect and block email spoofing by providing a mechanism to allow receiving mail exchangers to verify that incoming mail from a domain comes from an IP Address authorized by that domain's administrators. The list of authorized sending hosts and IP addresses for a domain is published in the Domain Name System (DNS) records for that domain in the form of a specially formatted TXT record. Email spam and phishing often use forged "from" addresses and domains, so publishing and checking SPF records can be considered one of the most reliable and simple to use anti-spam techniques.

This just means that if you are sending email from a domain, your IP address must be declared as valid e-mailer by the domain owner. Not passing the SPF check does not normally block your email, but you might find that your messages were classified as spam.

harrymc

Posted 2018-10-16T14:02:49.507

Reputation: 306 093

Which IP? The IP of the stated sender (name@domain.net), or the actual IP of the client attempting the send (where a given computer is on the inet)? or the IP of the sending server itself (which maybe is Outlook in some cases or any other email client, or maybe is a email server which is relaying a message?) – Mordachai – 2018-10-16T14:20:16.410

1The actual IP of the sender. All header fields in the message can (and are often) hacked, so cannot be trusted. – harrymc – 2018-10-16T14:21:55.297

1@Mordachai: The check happens during transfer to the recipient domain. Therefore the 'sender' is the final server that still belongs to the originating domain, the one which talks directly to the receiving domain's SMTP servers. – user1686 – 2018-10-16T14:40:13.280

1@grawity: This isn't very precise, because the final sender in the domain is often shared by all the computers of the domain. This makes everybody become an authorized emailer... – harrymc – 2018-10-16T14:48:49.723

1@harrymc actually, it is the server that emails that is the sender. If you use an Exchange server, the exchange server can be the sender, or an SMTP server can be used. Either you set the SPF record to the ip address of the exchange server, or the SMTP server. If you have IMAP, then the smtp server for that IMAP should be used, and that ip address can be listed. That is usually the server the mail hosts on. It can be also the smtp server from the ISP the person is on, but that is never a good thing to do if you also work with SPF records. – LPChip – 2018-10-16T14:50:04.463

@harrymc: If the server in question has no authorization requirements whatsoever, then yes, sure. But practically no mail servers are fully open for relay anymore: at minimum they either require being in the same IP range, or authenticating via username/password, or something similar. (For example, you cannot submit messages to Gmail's SMTP servers for relaying to another domain unless you authenticate with your Gmail account.) – user1686 – 2018-10-16T14:58:54.177

You are not understanding SPF records.

SPF records are a way to verify which ip addresses are supposed to be able to send emails.

When you setup an SPF record, anyone that checks the record will think: okay, they actually tell me here what ip addresses are allowed to send mails, so I can double check against the person that is mailing here.

So basically, when you send out an email to another server, that server can have a spamfilter where the spamfilter checks the SPF record, and if the record does not comfirm that you are sending the email, the spamfilter can decide to reject your email.

That also means that if the server you are sending email to does not have a spamfilter, the email will come through even if the SPF record does not state your ip address.

The SPF record, therefor, is a guide for spamfilters, not a method to actually block emails.

Now, you may wonder when you would need an SPF record, because wouldn't email always be sent from your server anyways? No, it wouldn't. Anyone can spoof the headers of an email and make it seem like it came from your server while it actually doesn't. The spamfilter then does a domain name lookup, finds the spf record, matches it with the ip address from this scammer, sees it doesn't match, and flags the mail as spam.

LPChip

Posted 2018-10-16T14:02:49.507

Reputation: 42 190

Okay - so then if I want to tell other servers "hey, all emails claiming to be from my-domain.com must come from my email server mail.my-domain.com's IP" then I can say "v=spf1 mx -all" --- which translates as "only my MX IP is authorized to send email for this domain"? – Mordachai – 2018-10-16T16:48:56.533