|
For this example let's look at a full SMTP conversation between mail servers. The lines with <tt>==></tt> indicate something the ''receiving'' server (teamits102) says; the lines with <tt><---</tt> indicate something the ''sending'' server says. Let's assume the sending server is connecting from IP address 198.65.30.145.
| | For this example let's look at a full SMTP conversation between mail servers. The lines with <tt>==></tt> indicate something the ''receiving'' server (teamits105) says; the lines with <tt><---</tt> indicate something the ''sending'' server says. Let's assume the sending server is connecting from IP address 64.233.167.99.
|
| |
|
><pre>==> 220 teamits102.teamITS.net ESMTP Sendmail 8.13.6.20060614/8.13.6; Wed, 6 Dec 2007 14:27:47 -0600 (CST)
<-- HELO teamits101.teamITS.net
==> 250 teamits102.teamITS.net Hello teamits103.teamITS.net [198.65.30.145], pleased to meet you
| | ><pre>==> 220 teamits105.teamITS.net ESMTP Sendmail 8.13.6.20060614/8.13.6; Wed, 6 Dec 2007 14:27:47 -0600 (CST)
<-- HELO teamits104.teamITS.net
==> 250 teamits105.teamITS.net Hello py-in-f99.google.com [64.233.167.99], pleased to meet you
|
|
<-- To: steve@teamITS.com
| | <-- To: steve@teamITS.com
|
<-- Subject: Buy this doodad!
| | <-- Subject: Want to buy a widget?
|
<--
| | <--
|
|
As mentioned above, ''SPF'' can be checked at two places. First of all, since the sending server introduced itself to us as <tt>HELO teamits101.teamITS.net</tt>, we can see if there is an ''SPF'' record for the host teamits101.teamITS.net. There is:
><pre>"v=spf1 a -all"</pre>
Since the IP address of teamits101.teamITS.net is actually 198.173.254.232, this check would result in a Fail, because the sending server is connecting from 198.65.30.145. (Sendmail on the receiving server also notices the hostname doesn't match, because the "Hello teamits103.teamITS.net ..." response indicates the sender's IP address and the hostname found via reverse DNS lookup).
| | As mentioned above, ''SPF'' can be checked at two places. First of all, since the sending server introduced itself to us as <tt>HELO teamits104.teamITS.net</tt>, we can see if there is an ''SPF'' record for the host teamits104.teamITS.net. There is:
><pre>"v=spf1 ip4:204.200.197.197 -all"</pre>
Since the IP address of teamits104.teamITS.net is actually 204.200.197.197, this check would result in a Fail, because the sending server is connecting from a different IP: 64.233.167.99. (Sendmail on the receiving server also notices the hostname doesn't match, because the "Hello py-in-f99.google.com ..." response indicates the sender's IP address and the hostname found via reverse DNS lookup).
|
|
><pre>"v=spf1 ip4:204.200.196.170 a:gw.teamITS.com ip4:199.236.109.182 ?include:rs.spf.teamITS.com
?ip4:192.67.9.43 ?ip4:69.90.68.67 ?ip4:192.67.9.41 -all"</pre>
| | ><pre>"v=spf1 ip4:204.200.197.197 ip4:199.236.109.182 ?include:spf.postini.com ?include:rs.spf.teamits.com ?ip4:192.67.9.40/30 ip4:72.54.24.99 -all"</pre>
|
|
ip4:204.200.196.170 - The IP address shown = Pass
| | ip4:204.200.197.197 - The IP address shown = Pass
|
a:gw.teamITS.com - The IP of gw.teamITS.com (207.145.71.131) = Pass
ip4:199.236.109.182 - The IP address shown = Pass
| | ip4:199.236.109.182 - The IP address shown = Pass
?include:spf.postini.com - The SPF record for this domain is looked up, and the IP
blocks referenced in it = Neutral
|
?include:rs.spf.teamITS.com - The SPF record for this domain is looked up, and the IP
| | ?include:rs.spf.teamITS.com - The SPF record for this domain is looked up, and the IP
|
|
?ip4:192.67.9.43 - The IP address shown = Neutral
?ip4:69.90.68.67 - The IP address shown = Neutral
?ip4:192.67.9.41 - The IP address shown = Neutral
| | ?ip4:192.67.9.40/30 - The IP range shown = Neutral
ip4:72.54.24.99 - The IP address shown = Pass
-all - Any other IP address = Fail</pre>
|
-all - Any other IP address = Fail</pre>
| | |
| |
|
Remember, the sending server is connecting from 198.65.30.145. Since none of the entries in this ''SPF'' record match 198.65.30.145, this check would also result in a Fail.
| | Remember, the sending server is connecting from 64.233.167.99. Since none of the entries in this ''SPF'' record match 64.233.167.99, this second ''SPF'' check would also result in a Fail.
|
| |
|
Based on either Fail result the receiving server could treat the message as if it was a fake.
| | Based on either Fail result the receiving server should treat the message as if it was a fake.
|
What is an example of how a receiving mail server uses SPF?
A mail server receiving a message can check two things with SPF:
- the hostname the sending server uses to identify itself (the HELO greeting name)
- the IP address of the sending server
The order in which these are checked is not specified, and in fact it may be better to check other things first, like whether the recipient address (RCPT TO) exists or not, before resorting to an external DNS lookup for SPF. The receiving server can decide how to handle the message if only one of the tests fail. See Best Practices for more information.
Basic Example
Let us assume we are a mail server and an e-mail arrives with the following address information:
Mail-from: bob@example.com
From: bob@example.com
To: steve@zelda.example.org
Test 1: When one mail server connects to another the sending server introduces itself. In our example, let's say the sending server says HELO mail.acme.example.net. Now that we know the hostname the sending server claims to be, we can check that. We do that by looking up the SPF record for mail.acme.example.net, which we will pretend looks like this:
mail.acme.example.net. TXT "v=spf1 a -all"
This record tells us that the only host that can announce itself as mail.acme.example.net is mail.acme.example.net (indicated by the "a"). Note if there was no SPF record for mail.acme.example.net, the result would be None, rather than Pass or Fail.
- If the IP address of the sending server matches the IP address of mail.acme.example.net, we have a Pass result for SPF.
- If the IP address of the sending server does not match the IP address of mail.acme.example.net, we proceed to the next part of the SPF record, -all, which yields a Fail result.
Test 2: Since the mail-from shows an @example.com address we look up the following SPF record:
example.com. TXT "v=spf1 a:mail.example.com -all"
This record indicates that there is only one server that is allowed to send mail using the example.com domain, and that is mail.example.com. Now that we know that, we look up the IP address of the mail.example.com host.
- If the IP address we find for mail.example.com matches the IP address of the incoming connection, then we have a match and the SPF test yields a Pass result.
- If the address does not match mail.example.com, then we go on to the next part of the SPF record, in this case "-all" which tells us that there any other IP address yields a Fail result.
Note if there was no SPF record for example.com, the result would be None, rather than Pass or Fail.
Real Example
For this example let's look at a full SMTP conversation between mail servers. The lines with ==> indicate something the receiving server (teamits105) says; the lines with <— indicate something the sending server says. Let's assume the sending server is connecting from IP address 64.233.167.99.
==> 220 teamits105.teamITS.net ESMTP Sendmail 8.13.6.20060614/8.13.6; Wed, 6 Dec 2007 14:27:47 -0600 (CST)
<-- HELO teamits104.teamITS.net
==> 250 teamits105.teamITS.net Hello py-in-f99.google.com [64.233.167.99], pleased to meet you
<-- mail from: sender@teamITS.com
==> 250 2.1.0 sender@teamITS.com... Sender ok
<-- rcpt to: steve@teamITS.com
==> 250 2.1.5 steve@teamITS.com... Recipient ok
<-- Data
==> 354 Please start mail input.
<-- From: sender@teamITS.com
<-- To: steve@teamITS.com
<-- Subject: Want to buy a widget?
<--
<-- Body text of message.
<-- .
==> 250 Mail queued for delivery.
<-- Quit
==> 221 Closing connection. Good bye.
As mentioned above, SPF can be checked at two places. First of all, since the sending server introduced itself to us as HELO teamits104.teamITS.net, we can see if there is an SPF record for the host teamits104.teamITS.net. There is:
"v=spf1 ip4:204.200.197.197 -all"
Since the IP address of teamits104.teamITS.net is actually 204.200.197.197, this check would result in a Fail, because the sending server is connecting from a different IP: 64.233.167.99. (Sendmail on the receiving server also notices the hostname doesn't match, because the "Hello py-in-f99.google.com ..." response indicates the sender's IP address and the hostname found via reverse DNS lookup).
The second SPF check is based on the sending server saying mail from: sender@teamITS.com. We look up the SPF record for teamITS.com and find:
"v=spf1 ip4:204.200.197.197 ip4:199.236.109.182 ?include:spf.postini.com ?include:rs.spf.teamits.com ?ip4:192.67.9.40/30 ip4:72.54.24.99 -all"
This SPF record would be interpreted like so, assuming a match was found with the sending server's IP address:
ip4:204.200.197.197 - The IP address shown = Pass
ip4:199.236.109.182 - The IP address shown = Pass
?include:spf.postini.com - The SPF record for this domain is looked up, and the IP
blocks referenced in it = Neutral
?include:rs.spf.teamITS.com - The SPF record for this domain is looked up, and the IP
block referenced in it ("?ip4:128.121.64.0/24") = Neutral
?ip4:192.67.9.40/30 - The IP range shown = Neutral
ip4:72.54.24.99 - The IP address shown = Pass
-all - Any other IP address = Fail
Remember, the sending server is connecting from 64.233.167.99. Since none of the entries in this SPF record match 64.233.167.99, this second SPF check would also result in a Fail.
Based on either Fail result the receiving server should treat the message as if it was a fake.
Examples from RFC4408
There are also sample DNS entries and examples in the SPF spec, RFC 4408.
