Home | Sitemap | Recent Changes | Login

SPF Logo

Sender Policy Framework

FAQ/Common receiver mistakes

Difference (from prior minor revision) (major diff)
Paragraph 21Paragraph 21

Mail forwarding is set up by the receiver and so for forwarded mail, the border mail server (at which SPF should be checked) the the forwarder's mail server.  If you check SPF on your mail server it is coming from your forwarder and not from a mail server authorized by the sending domain.  Technically this is similar to checking SPF against mail relayed from your secondary MX like discussed in the previous item.  Authorized forwarders should be whitelisted against SPF checks to avoid this problem.

Mail forwarding is set up by the receiver and so for forwarded mail, the border mail server (at which SPF should be checked) is the forwarder's mail server.  If you check SPF on your mail server it is coming from your forwarder and not from a mail server authorized by the sending domain.  Technically this is similar to checking SPF against mail relayed from your secondary MX like discussed in the previous item.  Authorized forwarders should be whitelisted against SPF checks to avoid this problem.


Common mistakes when checking incoming mail for SPF compliance

When your mail server uses someone else's SPF policy, there are a couple of things that could go wrong. Try not to make the same mistakes that others did. Things to look at:

Processing SPF policies at the border

SPF is designed to work at the border of your network. Some server, which you may not know, is contacting your server. Can you trust it? An SPF policy designates (or not!) that server as an authorized source for email from $domain.

Now consider what happens if you process an SPF policy somewhere else in your network. For example: one host receives all mail and then relays it to a central mail server. Should you process SPF policies on that central mail server, it will see your other host as the source. Chances are this other host is not authorized by someone else's SPF policy!

Example:

user@example.com sends his mail via mailhost.example.com and this host is authorized in example.com's SPF policy (v=spf1 a:mailhost.example.com -all).

Your organization receives mail at mailhost.receiver.example (your MX server). Maybe it looks at example.com's SPF record, finds that mailhost.example.com is authorized, and all is well.

Then the message is relayed to mailcentral.receiver.example; if this server looks at the SPF record again, the sending host will be mailhost.receiver.example which is not authorized!

Another example:

Your organization has a primary MX host, and a backup. Somehow delivery via the primary MX fails. The secondary MX is used and stores mail for a while. After some time, messages are routed to the primary for further processing.

In this example, the secondary MX should look at SPF policies (just like the primary does). Its settings should be at least as secure as the primary's settings. In addition, the primary MX server should whitelist the secondary MX server. All security checks are done by the secondary MX and should not be repeated for the following reasons:

  • it is a waste of resources
  • (for SPF: ) the sending host is your MX server, not the original contacting server

Checking SPF On Forwarded Mail

Mail forwarding is set up by the receiver and so for forwarded mail, the border mail server (at which SPF should be checked) is the forwarder's mail server. If you check SPF on your mail server it is coming from your forwarder and not from a mail server authorized by the sending domain. Technically this is similar to checking SPF against mail relayed from your secondary MX like discussed in the previous item. Authorized forwarders should be whitelisted against SPF checks to avoid this problem.

Enabling a "best guess" mode

Some SPF programs know how to fake an SPF policy if the sending domain does not have one. This is generally OK but you really should avoid this one big mistake: you must not reject mail based on your own guess, and you must not blame SPF if you ignore this warning!!!

Returning ("bouncing") email

It is generally best to reject mail right at the border of your network, rather than to accept responsibility for it ("receive") and find yourself returning email to a third party. But it becomes even more important when you process SPF policies.

Consider this: you receive a message from <president@whitehouse.gov>. You accept the message (and thus responsibility for it) but you soon find that you cannot deliver it. According to the RFC you ought to return it to the sender.

If whitehouse.gov has an SPF policy, and if that SPF policy did not approve of the sending server, then you can assume that president@whitehouse.gov is not the sender. When you "return" the message to this address, you are part of the problem, not part of the solution.

Tell your users

Don't forget to tell people that you are about to implement SPF. Some senders (inbound mail from your perspective) use unauthorized relays but so far nobody noticed. As soon as you start verifying SPF, people will notice and blame it on the most recent change (i.e. you implementing SPF verification). The real problem is those senders. Make sure your users know this.


Edit text of this page | View other revisions
Last edited 2008-04-12 10:51 (UTC) by Frank Ellermann (diff)