Sender Policy Framework

Ensure Outbound (Relayed) mail is not forged

RFC 4408 Security Considerations assigns responsibility to MTA operators to ensure users send mail only using identities they are authorized to to use. RFC 4409 specifically supports message rejection if the Mail From address is not authorized for the authenticated user. Some programs support this function natively if the user to authorized mail from address mapping is known. See the Postfix documentation for one example. This ensures that the MTA operator has authorized the user to send using the Mail From in the message.

Relay services should also ensure that the domain owner has authorized them to send mail. For domains that publish SPF records, this can be done via outbound (prospective) SPF checking. To do this, during the submission process, the relaying server should check SPF, but using it's own IP address, not the submitter's. For outbound SPF checks it is reasonable to reject any Softfail/Neutral results since the domain owner has published a sender policy and the local server is not authorized. For Postfix users, the Python SPF policy server supports this function as a configuration item since version 0.6.