If you don't have an SPF record, you should.

Posted by Jason Durham | Tags: DNS

What problem are we trying to solve?

It's quite common for hackers and otherwise bad people to spoof email addresses.  They scour the web, harvest domain names (and/or email addresses) and then send mail pretenting to be those identities.  Are you getting rogue NDRs?  Are you getting spam that, at first glance, appears to be coming from one of your employees?  Are you getting an enormous amount of spam?  SPF and Sender ID are both designed to mitigate those occurances.

What are Sender Policy Framework (SPF) and SenderID Framework?

These two technologies quite similar, however there is one important distinction.  Both validate email sender addresses by performing a DNS query.  Both also require a syntacially similar TXT record that identifies the rules for which to validate the sender.  The core difference between the two lies in what component of the email message gets validated. 

How does SPF work?

SPF is an open standard that specifically targets the MAIL FROM and HELO identities during look ups.

How does Sender ID work?

Sender ID framework is Microsoft's patented technology derived from SPF.  The Sender ID framework can validate against the traditional SPF mechanism as well as a propriety argorithm called the "Purported Responsible Address" (PRA).  PRA takes into account the FROM, SENDER, RESENT-FROM and RESENT-SENDER mail header fields. 

At first glance, it seems that Sender ID filtering based upon PRA could provide a more intuitive determination of the sender, however any of those fields can be spoofed.  In my instances, I'm generally wanting to mitigate spammers from using my domain to send viruses and phishing attempts with my company's name on them.  If we just created an SPF record that required evalutation on the mail header, some of those 'bad guys' would sneak through.

The good news is... the SPF record you create will tell mail servers how to validate mail originating from your domain. Now let's look at how the SPF record is formed.

How to create an SPF record?

SPF records are simply TXT DNS records.  The syntax for SPF is also valid for Sender ID, but SenderID has a couple of different items that don't conform to the SPF specification.  I'm only going to talk about that which is the same across both frameworks.  SPF version 1 is synactically identical for both Sender ID and SPF.  I could regurgitate information on every aspect/component/method found within the record.  Instead, I'll just show you a couple of  basic records and explain the components.

example.com     TXT     "v=spf1 a:mail.example.com ip4:44.44.44.44 -all"

This is a TXT DNS record for example.com.  The value of the record starts off by declaring itself as SPF version 1.  This record is explicitly allowing mail to originate from two sources.  The first being "mail.example.com" which must be a valid A host on example.com.  The latter being an IP address.  The last switch "-all" says that anything outside of what is explicitly allowed in this record, is invalid.

In some cases, some business may find the need create a broader range of acceptable mail senders.  The ipv4 declaration can accept a subnet mask represented in CIDR notation (ip4:4.2.2.1/24 would identify any IP beginning with 4.2.2.x as a valid source for example.com).  You may also find it helpful to include all of one type of DNS record.  Often times, companies use the same servers to receive mail as to send it.  What does every mail server need to receive mail?  An MX record.  You can explicitly state that all valid MX records from example.com are allowed to send mail.

example.com     TXT     "v=spf1 mx -all"

Pretty straight forward huh? SPF and Sender ID usage is still relatively small, however there is certainly a growing need for it.  With a properly formed SPF record, the overhead is quite small for SMBs.  Even if your server doesn't allow for SPF or Sender ID filtering, it's still good practice to publish an SPF record for the servers around the world that do.

If you want to take a poke around and see who is using SPF.  Simply launch nslookup from a command prompt and view the TXT records for your favorite domains.  Here is Microsoft's...

microsoft.com      TXT     "v=spf1 mx include:_spf-a.microsoft.com include:_spf-b.microsoft.com include:_spf-c.microsoft.com include:_spf-ssg-a.microsoft.com ip4:131.107.115.212 ip4:131.107.115.215 ip4:131.107.115.214 ip4:205.248.106.64 ip4:205.248.106.30 ip4:205.248.106.32 ~all"

August 24, 2009

There are no comments yet...Kick things off by filling out the form below.

Leave a Comment

Leave this field empty: