The Sender Policy Framework ensures, that email sent from a domain is allowed to be sent from the server, it is origination from.

In the past, it was quite easy to spoof  a email sender domain  (for example from bill.gates@microsoft.com). Since this was quite a huge problem for companies and even the whole internet communication, SPF was introduced. SPF ensures,  that the servers sending mails for a certain domain, are fully qualified and allowed to send emails for that domain. An attacker might not be able to spoof your company’s email address to send “faked” information to other people.

 

Implementing SPF is quite easy and does not cost any single bit of a coin. We are talking about a DNS Lookup (which is done by your system to verify other systems sending servers approval) and a DNS Record on your domain, to tell other people the server(s) you are trusting to send email for you.

Sounds easy ? – it is !

This HOW-TO gives you a step by step instructions on how to enable SPF for your email system and your domains.

Part1: enable checking on your postfix system to not retreive forged domain spam

Part2: secure your domain(s), so an attacker is not able to abuse your domains any more for spoofed emails

 

Further reading regarding SPF can be found here: www.openspf.org/Introduction

 

Part #1  – SPF – verify incoming email on your mailserver (postfix)

To ensure, your mailserver would not get hit by emails from forged domains, SPF checking is the thing you want to enable.

This does NOT protect your domains from being sent from a foreign server – this blog entry just enables your server from accepting forged domain spam.

Step 1

Install the SPF Checker for postfix

apt-get install postfix-policyd-spf-python

Step 2

edit your /etc/postfix/master.cf

policyd-spf  unix  -       n       n       -       0       spawn
    user=policyd-spf argv=/usr/bin/policyd-spf

 

Step 3

edit your /etc/postfix/main.cf

policyd-spf_time_limit = 3600
smtpd_recipient_restrictions =
    ...
    reject_unauth_destination,
    check_policy_service unix:private/policyd-spf,
    ...

Make sure, you are putting the check_policy_service unix after the reject_unauth_destination line, to not become an open relay to the world.

 

Step 4

Finally, do not forget to reload / restart your postfix

/etc/init.d/postfix restart

 

Step 5

If you find the following in received Email Headers, your SPF is working properly

Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=209.85.216.181; helo=mail-qt0-f181.google.com; envelope-from=yourmailaddress@gmail.com; receiver=info@miyw.de

 

Step 6 (optional)

instead of blocking wrong SPF Senders(default behaviour), you can just let python-spf tag them for spamassasin

edit /etc/postfix-policyd-spf-python/policyd-spf.conf and set

HELO_reject False

Mail_From_reject False

this will accept Emails with wrong SPF but SA will mark them as spam afterwards.

(all steps have been tested on debian8 jessie)

 

Part #2 – Protect your own domain(s) with SPF records

Protecting your domain(s) with SPF

Step 1

Create a TXT Record in for domain – the simpliest way to achieve that would be as follows:

v=spf1 mx -all

This line as TXT record implies that for all servers listed in your domain as MX records are allowed to send mail (mx) and all other servers are declined (-all).

another example could be the following:

v=spf1 mx a:mail.miyw.de -all

This line allows all mx records as well as the additional domain (a:mail.miyw.de) to send email , once again all other servers are declined (-all).

Find the whole “spf Record” syntax explained here: www.openspf.org/SPF_Record_Syntax

 

One more cool thing is this litte Site – a SPF  Record generator.

 

Step 2

TEST – double and yes – triple test your settings !!!

Send Emails from the Domain you just protected by SPF to a whole bunch of mail servers.

As Test we sent an email from our domain (info@miyw.de) to a gmail account and got the following line in our header:

spf=pass (google.com: domain of info@miyw.de designates 31.7.178.74 as permitted sender) smtp.mailfrom=info@miyw.de

Awesome – Hu ?

This little page could help you, as well: mxtoolbox.com

 

any questions ? go ahead and write us !

 

a good read ahead: https://www.skelleton.net/2015/03/21/how-to-eliminate-spam-and-protect-your-name-with-dmarc/