最後更新: 2022-06-29

介紹

 

SPF 檢查的是 "Return-Path"(also known as the MFrom or envelope-sender) 而不是 "From"

Return-Path Header: In eml and invisible to user

Return-Path: <[email protected]>
...

Return-Path 的作用: notify the sender of delivery problems (bounces)

 * SPF record up to the 255 character TXT record limit.

 

---

格式

version ([prefix] mechanisms) (modifiers)

version:

• v=spf1

mechanisms:

• all,
• include,                           other domains that are authorized domains (用另一個 domain set 好的 spf record)
• a,                                   all A records for domain (a:<domain> | a:<domain>/<prefix-length>)
• mx,                                all A records for each host's MX record
• ptr,                                 looked up using PTR queries.
• ip4                                  ip4:IP[/net]
• exists

Verification results

"+", "-", "~", and "?"                                     // pass, fail, softfail, neutral

The default qualifier is "+"

Softfail

the domain is still testing its SPF policy, so the message should not have been rejected.

The IP address may or may not be authorized to send from the domain.

(mark the message as suspicious, however, they will still accept it)

Neutral

The domain owner stated in the SPF record that they do not want to assert that the IP address is authorized to send from the domain. 

modifiers:

• redirect
• exp

 

---

Example

 

# 最易單的設定
"v=spf1 a mx -all" 
   
# The domain sends no mail at all.
"v=spf1 -all"

# Allow 多粒 IP
"v=spf1 a mx ip4:x.x.x.x ip4:192.168.0.0/16 -all"

# Allow 某 A record
"v=spf1 a:mail.example.com -all"

# Allow 某 MX record
"v=spf1 mx:domain.com -all"

# Allow PTR record
"v=spf1 ptr ptr:domain.com -all"

 

---

The "include" mechanism

 

dig -t txt datahunter.org

"v=spf1 a mx include:_spf.google.com -all"

dig -t txt _spf.google.com

_spf.google.com. 287 IN TXT "v=spf1 include:_netblocks.google.com include:_netblocks2.google.com include:_netblocks3.google.com ~all"

Domain datahunter.org 最後會以 "-all" 去判決 mail

 

---

spf "%{i}" & "exits:"

 

"%{i}"

This macro is used as a variable that is replaced by the IP address of the connecting host.

ie.

%{i}.spf.datahunter.org

來源 IP "192.168.0.1" would expand to "192.168.0.1.spf.datahunter.org"

The "exists" mechanism

It will match if the hostname has an A record in DNS

It doesn’t matter what the lookup result(A record) # 一般係 return 127.0.0.2

ie.

當來信 Server IP 係 192.168.0.254, 有以下 SPF record

exists:%{i}.spf.datahunter.org

相當於 check "192.168.0.254.spf.datahunter.org" 有沒有 A record, 如果有則 Pass

dig 192.168.0.1.spf.datahunter.org +short

%{ir}.%{v}.%{d}

"v=spf1 include:%{ir}.%{v}.%{d} -all"

• %{ir}       # reversed ip address
• %{v}        # in-addr / ip6
• %{d}        # expand to the domain name

如果 Sender IP 是 10.1.2.3, domain 是 example.com

Result: 3.2.1.10.in-addr.example.com

 

 

---

Testing tools

 

• https://mxtoolbox.com/spf.aspx

 

---

DOC

 

• http://www.openspf.org/SPF_Record_Syntax

 

---

Other

 

pypolicyd-spf