Home | Sitemap | Recent Changes | Login

SPF Logo

Sender Policy Framework

FAQ/Examples

What is an example of how a receiving mail server uses SPF?

A mail server receiving a message can check two things with SPF:

  1. the hostname the sending server uses to identify itself (the HELO greeting name)
  2. the IP address of the sending server

The order in which these are checked is not specified, and in fact it may be better to check other things first, like whether the recipient address (RCPT TO) exists or not, before resorting to an external DNS lookup for SPF. The receiving server can decide how to handle the message if only one of the tests fail. See Best Practices for more information.

Basic Example

Let us assume we are a mail server and an e-mail arrives with the following address information:

Mail-from: bob@example.com
From: bob@example.com
To: steve@zelda.example.org

Test 1: When one mail server connects to another the sending server introduces itself. In our example, let's say the sending server says HELO mail.acme.example.net. Now that we know the hostname the sending server claims to be, we can check that. We do that by looking up the SPF record for mail.acme.example.net, which we will pretend looks like this:

mail.acme.example.net.  TXT  "v=spf1 a -all"

This record tells us that the only host that can announce itself as mail.acme.example.net is mail.acme.example.net (indicated by the "a"). Note if there was no SPF record for mail.acme.example.net, the result would be None, rather than Pass or Fail.

  • If the IP address of the sending server matches the IP address of mail.acme.example.net, we have a Pass result for SPF.
  • If the IP address of the sending server does not match the IP address of mail.acme.example.net, we proceed to the next part of the SPF record, -all, which yields a Fail result.

Test 2: Since the mail-from shows an @example.com address we look up the following SPF record:

example.com.  TXT  "v=spf1 a:mail.example.com -all"

This record indicates that there is only one server that is allowed to send mail using the example.com domain, and that is mail.example.com. Now that we know that, we look up the IP address of the mail.example.com host.

  • If the IP address we find for mail.example.com matches the IP address of the incoming connection, then we have a match and the SPF test yields a Pass result.
  • If the address does not match mail.example.com, then we go on to the next part of the SPF record, in this case "-all" which tells us that there any other IP address yields a Fail result.

Note if there was no SPF record for example.com, the result would be None, rather than Pass or Fail.

Real Example

For this example let's look at a full SMTP conversation between mail servers. The lines with ==> indicate something the receiving server (teamits105) says; the lines with <— indicate something the sending server says. Let's assume the sending server is connecting from IP address 64.233.167.99.

==> 220 teamits105.teamITS.net ESMTP Sendmail 8.13.6.20060614/8.13.6; Wed, 6 Dec 2007 14:27:47 -0600 (CST)
<-- HELO teamits104.teamITS.net
==> 250 teamits105.teamITS.net Hello py-in-f99.google.com [64.233.167.99], pleased to meet you
<-- mail from: sender@teamITS.com
==> 250 2.1.0 sender@teamITS.com... Sender ok
<-- rcpt to: steve@teamITS.com
==> 250 2.1.5 steve@teamITS.com... Recipient ok
<-- Data
==> 354 Please start mail input.
<-- From: sender@teamITS.com
<-- To: steve@teamITS.com
<-- Subject: Want to buy a widget?
<--
<-- Body text of message.
<-- .
==> 250 Mail queued for delivery.
<-- Quit
==> 221 Closing connection. Good bye.

As mentioned above, SPF can be checked at two places. First of all, since the sending server introduced itself to us as HELO teamits104.teamITS.net, we can see if there is an SPF record for the host teamits104.teamITS.net. There is:

"v=spf1 ip4:204.200.197.197 -all"

Since the IP address of teamits104.teamITS.net is actually 204.200.197.197, this check would result in a Fail, because the sending server is connecting from a different IP: 64.233.167.99. (Sendmail on the receiving server also notices the hostname doesn't match, because the "Hello py-in-f99.google.com ..." response indicates the sender's IP address and the hostname found via reverse DNS lookup).

The second SPF check is based on the sending server saying mail from: sender@teamITS.com. We look up the SPF record for teamITS.com and find:

"v=spf1 ip4:204.200.197.197 ip4:199.236.109.182 ?include:spf.postini.com ?include:rs.spf.teamits.com ?ip4:192.67.9.40/30 ip4:72.54.24.99 -all"

This SPF record would be interpreted like so, assuming a match was found with the sending server's IP address:

ip4:204.200.197.197          - The IP address shown = Pass
ip4:199.236.109.182          - The IP address shown = Pass
?include:spf.postini.com     - The SPF record for this domain is looked up, and the IP
                               blocks referenced in it = Neutral
?include:rs.spf.teamITS.com  - The SPF record for this domain is looked up, and the IP
                               block referenced in it ("?ip4:128.121.64.0/24") = Neutral
?ip4:192.67.9.40/30          - The IP range shown = Neutral
ip4:72.54.24.99              - The IP address shown = Pass
-all                         - Any other IP address = Fail

Remember, the sending server is connecting from 64.233.167.99. Since none of the entries in this SPF record match 64.233.167.99, this second SPF check would also result in a Fail.

Based on either Fail result the receiving server should treat the message as if it was a fake.

Examples from RFC4408

There are also sample DNS entries and examples in the SPF spec, RFC 4408.


Edit text of this page | View other revisions
Last edited 2008-04-01 18:14 (UTC) by Steve Yates (diff)