As a way to fight spam, information about who is entitled to send email for a particular domain will be attached to it using the DNS as a way to publish the information.

Configuration

SPF allow to indicate the hosts (ie: their IPs) allowed to send mail for a particular domain. This is to prevent spam being sent through an external machine using your email address as the address of the sender.

The following example specify to the different mail servers that only the mrelay1.example.com host has the right to send messages whose sender address is of the form @example.com.

named.conf
1
2

example.com.            IN  SPF "v=spf1 a:mrelay1.example.com -all"
mrelay1.example.com.    IN  SPF "v=spf1 a -all"

Integration

Postfix

Postfix isn’t build any more with postfix-libspf2 patch, the following section is obsolete.

SPF verifies the legitimacy of the machine sending the mail, this verification is performed (through the SPF DNS records) when receiving the mail using reject_spf_invalid_sender in the smtpd_sender_restrictions definition:

main.cf
1
2
3
4

smtpd_sender_restrictions     =
    ...
    reject_spf_invalid_sender,
    ...

In addition, a white list maintained by trusted-forwarder.org. will be checked (directive spf_global_whitelist). Mail headers wil also be modified to show the validation results (directive spf_received_header). If validation failed the mail will be rejected (except if the spf_mark_only directive is set up) and the error message will show the explanation described by spf_explanation.

main.cf
1
2
3
4
5

# SPF
spf_received_header     = yes
spf_mark_only           = yes
spf_explanation         = "%{h} [%{i}] is not allowed to send mail for %{s}"
spf_global_whitelist    = yes