0

I'm trying to set up SPF for our domain to prevent or reduce spoofing. The difficulty I'm having is with how to look at any particular email and determine if it would pass SPF.

We of course know which internal mail servers we have that are sending mail for our domain. The problem is finding the external ones, like constant-contact, etc, that have been used by the marketing folks to send mail as users in our domain that should be included in our SPF record.

I understand it analyzes the "MAIL FROM" data and references it with the IP address of the connecting server. Often times I see "MAIL FROM" something like "user@ac.example.com" but the mail is actually "From:" user@example.com" yet it passes SPF.

When checking to see if a particular email would pass an SPF test, how is the "From:" field considered, when "MAIL FROM" is the real return-path sender?

Alex Regan
  • 123

2 Answers2

2

Easy, set up a dmarc policy. I recommend dmarcian as a xml parser for those reports. DMARC was designed specifically for this, Authentication and REPORTING!! Set your policy to none so you don't reject any emails yet. Example:

_dmarc.example.org. IN TXT "v=DMARC1; p=none; rua=mailto:zskpakdq@ag.dmarcian.com;"

If you want to start checking if your SPF matches without causing errors in flow, use 

?all

Also, if you are doing to use dmarc ongoing, you'll want to start signing your mail with domain keys (dkim), which will help you manage forwarders.

Jacob Evans
  • 8,431
1

SPF just checks that an email originated from the server IP ip4:a.b.c.d listed or if it is an mx record mx a of a domain.

It does not verify the @example.com part.

So if @example.com mail server is 1.1.1.1 and mail sent was from server 1.1.1.1 your mail server would accept it. However, if mail was actually sent from 1.1.1.2 it would be flagged as SPAM.

Since spammers don't have access to the domains DNS records, using SPF records helps verify the originating servers.

exxboast7
  • 51