Rekord SPF.
Rekord SPF jest zapisem w strefie DNS domeny typu TXT lub SPF, niosącym informację dla odbierającego MTA o poprawności adresacji serwera MTA nadawcy. Pozwala to na sprawdzenie, czy odbierana wiadomość została wysłana przez uprawnione do tego przez administratora danej domeny MTA.
Budowa rekordu SPF zaczyna się od podania jego wersji (np. "v=spf1"), a następnie reguł, które pozwalają na uwiarygodnienie poprawności serwera nadawcy. Na podstawie tych informacji oraz akcji zdefiniowanych przez administratora MTA odbierającego, wiadomości wysłane z serwerów niezgodnych z informacjami zawartymi w SPF mogą (i powinny) być odrzucane.
Przykładowy rekord SPF wygląda w strefie domeny BIND następująco:
@ IN TXT "v=spf1 a mx ip4:1.2.3.4 ip4:4.3.2.96/30 ip6:2001:aaaa:b:abcd::/64 a:nazwa-fqdn-ip.tld -all"
Najprostsza formułka rekordu SPF, w większości przypadków wystarczająca w zupełności:
Regułka informuje, że poczta wysłana z adresacji zdefiniowanej w strefie domeny dla rekordów A oraz MX jest "legalna".
@ IN TXT "v=spf1 a mx -all"
Przykład reakcji na SPF dla MTA Exim.
Najpierw sprawdzamy, czy Exim ma wkompilowaną obsługę SPF:
server#exim -bV
Support for: crypteq IPv6 Perl OpenSSL move_frozen_messages Content_Scanning DKIM DNSSEC Event OCSP PIPE_CONNECT PRDR SPF DMARC TCP_Fast_Open Experimental_SRS
acl_check_recipient:
warn set acl_m_slow = 0
warn set acl_m_spfw =
deny
!authenticated = *
condition = ${if !eq{$acl_m_spfw}{1}}
spf = fail
message = SPF: $sender_host_address is not allowed to send mail from $sender_address_domain: $spf_smtp_comment
logwrite = SPF: $sender_host_address is not allowed to send mail from $sender_address_domain: $spf_smtp_comment
deny
!authenticated = *
condition = ${if !eq{$acl_m_spfw}{1}}
spf = permerror
message = SPF: $sender_host_address is not allowed to send mail from $sender_address_domain: $spf_smtp_comment
logwrite = SPF: DENY, $sender_host_address is not allowed to send mail from $sender_address_domain: $spf_smtp_comment
set acl_m_slow = 1
deny
!authenticated = *
condition = ${if !eq{$acl_m_spfw}{1}}
spf = none
!verify = sender/callout=30s,random,postmaster
message = SPF: Sender not have SPF record and SPF info does\n \
not grant $sender_host_address explicit\n \
authority to send mail from $sender_address_domain.
logwrite = SPF: DENY, We check sender and we block messages from $sender_address_domain because sender test is invalid: $spf_smtp_comment
set acl_m_slow = 1
defer
!authenticated = *
condition = ${if !eq{$acl_m_spfw}{1}}
spf = softfail : neutral
message = SPF: We greylist messages from $sender_address_domain\nbecause the domain's reputation is questionable:\n$spf_smtp_comment
logwrite = SPF: DEFER, We greylist messages from $sender_address_domain because the domain's reputation is questionable: $spf_smtp_comment
set acl_m_slow = 1
defer
!authenticated = *
condition = ${if !eq{$acl_m_spfw}{1}}
spf = temperror
message = SPF: $sender_host_address currently is not allowed to send mail from $sender_address_domain: $spf_smtp_comment
logwrite = SPF: DEFER, $sender_host_address currently is not allowed to send mail from $sender_address_domain: $spf_smtp_comment
set acl_m_slow = 1
warn
!authenticated = *
spf = pass
add_header = X-SPF: Result=$spf_result , comment=$spf_header_comment
logwrite = SPF: INFO, Result=$spf_result, comment=$spf_header_comment, sender=$sender_address_domain: $spf_smtp_comment
set acl_m_slow = 0
warn
!authenticated = *
spf = none
message = SPF: $sender_address_domain\nreputation is questionable:\n$spf_smtp_comment.\n
logwrite = SPF: Result=$spf_result, comment=$spf_header_comment, sender=$sender_address_domain: $spf_smtp_comment
add_header = X-SPF: INFO, Result=$spf_result , comment=$spf_header_comment
set acl_m_slow = 2
warn
!authenticated = *
condition = ${if match {${lookup dnsdb{txt=$sender_address_domain}{$value} } }{\\+all} }
add_header = X-SPF-WARN-ALL: $sender_address_domain allows +all in SPF policy
logwrite = SPF: WARN, $sender_address_domain allows +all in SPF policy
set acl_m_slow = 2
warn
condition = ${if eq{$acl_m_slow}{1}}
condition = ${if !eq{acl_m_spfw}{1}}
delay = 10s
warn
condition = ${if eq{$acl_m_slow}{2}}
condition = ${if !eq{acl_m_spfw}{1}}
delay = 60s
W celu zapewnienia pełnego sprawdzenia nadawcy, należy zastosować jednoczesną politykę SPF, DKIM oraz DMARC.