SPF is an emerging standard that let’s the owners of domain names tell people who receive email claiming to be from that domain name which SMTP servers are allowed to send email from that domain name. That’s a slightly complex sentence, so let me give you an example. Then I’ll make a note or two about how to add SPF records to your DNS settings. There is a point or two that is quite difficult to figure out from the documentation I’ve found online, but once you figure it out, it’s not that difficult. So, the example of the process:
1) A spammer sends an email with a fake address–let’s say that address is fakeaddress@geckotribe.com.
2) It leaves their email client and goes through their ISP’s SMTP server–let’s say that’s smtp.spammerisp.com (in reality, they probably wouldn’t use thier ISP’s SMTP server, but we’ll ignore that fact).
3) The message arrives at the recipient’s (poor@sucker.com) mail server (mail.sucker.com).
4) Their mail server (mail.sucker.com) checks the sender’s address (fakeaddress@geckotribe.com), extracts the domain name from it (geckotribe.com).
5) mail.sucker.com asks the DNS server for geckotribe.com (ns.geckotribe.com) for a list of SMTP servers that are allowed to send email addressed from geckotribe.com (like fakeaddress@geckotribe.com).
6) ns.geckotribe.com replies that mail.geckotribe.com and mail.myhomeisp.com are allowed to send such email, and no one else.
7) mail.sucker.com notes that smtp.spammerisp.com is not on the list.
8) mail.sucker.com either rejects the message or marks it in some way so that the recipient knows that the SPF check failed, so it’s likely that it’s spam.
There’s the process. How does the administrator for geckotribe.com set up the DNS record to indicate that mail.geckotribe.com and mail.myhomeisp.com are allowed to send email addressed from geckotribe.com? Here are two lines that need to be added to the DNS configuration file, followed by an explanation of them:
geckotribe.com. IN TXT “v=spf1 a:mail.geckotribe.com ?include:myhomeisp.com -all”
mail.geckotribe.com. IN TXT “v=spf1 a:mail.geckotribe.com -all”
On the first line:
• geckotribe.com.: this indicates “mail address from somebody@geckotribe.com. Note the “.” after “.com”. You can either put that dot there, or omit “geckotribe.com.” completely.
• IN TXT: Indicates that this is a text record. Trust me. That’s what you want.
• v=spf1: Indicates that this is an SPF version 1 record. You need this.
• a:: An “A” record (not a CNAME, TXT, MX, NS… or other type of DNS record). IMPORTANT NOTE: “a:” could have been prefixed with a plus sign, ie., this could have been “+a:mail.geckotribe.com”. The plus sign is optional–it is the default prefix. It means that if this rule matches, then the sender is legitimate. I’ll mention other prefixes later.
• mail.geckotribe.com: Lookup the IP address for mail.geckotribe.com–if that’s the IP address you’re getting the mail from, then it’s legitimate.
• ?: The question mark prefix means that if the following rule matches, the sender may or may not be legitimate. I’ll tell you why you’d use a question mark here in a minute.
• include:: This means that I don’t know the IP addresses or fully qulified domain names of the mail servers that I’m going to talk about next, but I’m going to name of the domain that you should ask for that information.
• myhomeisp.com: This is the domain name of the ISP I connect to the internet through when I’m at home. Now to answer the question of why we prefixed this rule with a question mark. It’s because when I send email via my ISP, it’s legitimate, but if somebody else with the same ISP sends mail claiming to be from geckotribe.com, it’s not. The question mark says “don’t rule it out, but it might not be legitimate”.
• -: The minus sign says that if the following rule matches, then sender is not legitimate.
• all: This rule matches anybody who wasn’t already matched by one of the preceding rules.
Briefly, the second line means that if mail claims to be from somebody@mail.geckotribe.com, it’s legit if it came via mail.geckotribe.com, but not if it came from anywhere else.
To recap and point out a few more things:
• You put multiple rules on each line. They are evaluated from left to right until one matches. The rest are ignored.
• “+” means legitimate, “?” means it might be legitimate, and “-” means it’s not legitimate.
• Each rule starts with a prefix (if none is specified, then the default is “+”) followed by “a”, “include”, “ptr”, “mx” or one of a few other things (check the specifications for details) followed by a colon.
• You should end each line with ?all or -all. Use ?all if you want to be able to send email through any ISP (for example, if you send email from your laptop as you travel all over the place). Use -all if you know (and have indicated earlier on the line) every possible SMTP server that you might send email through.
No comments:
Post a Comment