Difference between revisions of "SPF"

from HTYP, the free directory anyone can edit if they can prove to me that they're not a spambot
Jump to navigation Jump to search
(Created page with "{{fmt/title|SPF: Sender Policy Framework}} ==About== SPF (Sender Policy Framework) is an anti-spam protocol in which a DNS record specifies what IP addresses are allowed t...")
 
 
(5 intermediate revisions by the same user not shown)
Line 1: Line 1:
 +
[[category:anti-spam]]
 +
[[category:email/server/configuration]]
 
{{fmt/title|SPF: Sender Policy Framework}}
 
{{fmt/title|SPF: Sender Policy Framework}}
 
==About==
 
==About==
[[SPF]] (Sender Policy Framework) is an anti-spam protocol in which a DNS record specifies what IP addresses are allowed to send messages with a "from" address coming from that domain. The IP addresses may be specified literally (numerically) or given as domain-names. SPF is defined in [https://www.rfc-editor.org/rfc/rfc7208.html RFC 7208] ([https://datatracker.ietf.org/doc/draft-ietf-spfbis-4408bis/21/ status]).
+
[[SPF]] (Sender Policy Framework) is an anti-spam protocol in which a DNS record specifies what IP addresses are allowed to send messages with a "from" address coming from that domain. The IP addresses may be specified literally (numerically, using [[/term/cidr-length|CIDR address-range syntax]]) or as domain-names. SPF is defined in [https://www.rfc-editor.org/rfc/rfc7208.html RFC 7208] ([https://datatracker.ietf.org/doc/draft-ietf-spfbis-4408bis/21/ status]).
 
===DNS Configuration===
 
===DNS Configuration===
 
Discussion of the DNS record format is in [https://www.rfc-editor.org/rfc/rfc7208.html#section-3 Section 3]. SPF uses TXT records; there must be only one SPF record per domain or subdomain. A record's contents must start with "<code>v=spf1</code>" in order to be recognized as an SPF record.
 
Discussion of the DNS record format is in [https://www.rfc-editor.org/rfc/rfc7208.html#section-3 Section 3]. SPF uses TXT records; there must be only one SPF record per domain or subdomain. A record's contents must start with "<code>v=spf1</code>" in order to be recognized as an SPF record.
  
The remainder of the contents consists of a mix of {{l/sub|mechanism}}s and {{l/sub|modifier}}s, combined according to these nearly-indecipherable rules:
+
The remainder of the contents consists of a set of terms, formatted according to these nearly-indecipherable rules:
   terms           = *( 1*SP ( directive / modifier ) )
+
   {{l/sub|term}}s           = *( 1*SP ( directive / modifier ) )
  
 
   directive        = [ qualifier ] mechanism
 
   directive        = [ qualifier ] mechanism
   qualifier       = "+" / "-" / "?" / "~"
+
   {{l/sub|qual}}ifier       = "+" / "-" / "?" / "~"
   {{l/sub|mechanism}}       = ( all / include / a / mx / ptr / ip4 / ip6 / exists )
+
   mechanism        = ( all / include / a / mx / ptr / ip4 / ip6 / exists )
   {{l/sub|modifier}}         = redirect / explanation / unknown-modifier
+
   modifier        = redirect / explanation / unknown-modifier
 
   unknown-modifier = name "=" macro-string
 
   unknown-modifier = name "=" macro-string
 
                       ; where name is not any known modifier
 
                       ; where name is not any known modifier
  
 
   name            = ALPHA *( ALPHA / DIGIT / "-" / "_" / "." )
 
   name            = ALPHA *( ALPHA / DIGIT / "-" / "_" / "." )
 +
 +
This seems to translate to "one or more terms, where each term starts with either {a ''qualifier'' followed by a ''directive'' (which is a qualifier plus a mechanism)} or a ''modifier'', and multiple terms are separated by spaces".
 +
 +
Tentatively, it's best to think of "modifiers" as a small set of additional directives. It's noted in that they're intended to allow for future expansion
 +
==Examples==
 +
This config seems to be at least partly functional:
 +
'''TXT''' v=spf1 mx mx:mail.vbz.net a a:mail.vbz.net  ~all
 +
 +
This config does not get through to Gmail:
 +
'''TXT''' v=spf1 ip4:165.227.176.23 ip6:2604:a880:800:a1::126e:6001 -all
 
==Links==
 
==Links==
 
* {{wikipedia|Sender Policy Framework}}
 
* {{wikipedia|Sender Policy Framework}}
 
* [https://www.rfc-editor.org/rfc/rfc7208.html RFC 7208] ([https://datatracker.ietf.org/doc/draft-ietf-spfbis-4408bis/21/ status])
 
* [https://www.rfc-editor.org/rfc/rfc7208.html RFC 7208] ([https://datatracker.ietf.org/doc/draft-ietf-spfbis-4408bis/21/ status])

Latest revision as of 20:26, 21 December 2022

SPF: Sender Policy Framework

About

SPF (Sender Policy Framework) is an anti-spam protocol in which a DNS record specifies what IP addresses are allowed to send messages with a "from" address coming from that domain. The IP addresses may be specified literally (numerically, using CIDR address-range syntax) or as domain-names. SPF is defined in RFC 7208 (status).

DNS Configuration

Discussion of the DNS record format is in Section 3. SPF uses TXT records; there must be only one SPF record per domain or subdomain. A record's contents must start with "v=spf1" in order to be recognized as an SPF record.

The remainder of the contents consists of a set of terms, formatted according to these nearly-indecipherable rules:

  terms            = *( 1*SP ( directive / modifier ) )
  directive        = [ qualifier ] mechanism
  qualifier        = "+" / "-" / "?" / "~"
  mechanism        = ( all / include / a / mx / ptr / ip4 / ip6 / exists )
  modifier         = redirect / explanation / unknown-modifier
  unknown-modifier = name "=" macro-string
                     ; where name is not any known modifier
  name             = ALPHA *( ALPHA / DIGIT / "-" / "_" / "." )

This seems to translate to "one or more terms, where each term starts with either {a qualifier followed by a directive (which is a qualifier plus a mechanism)} or a modifier, and multiple terms are separated by spaces".

Tentatively, it's best to think of "modifiers" as a small set of additional directives. It's noted in that they're intended to allow for future expansion

Examples

This config seems to be at least partly functional:

TXT v=spf1 mx mx:mail.vbz.net a a:mail.vbz.net   ~all

This config does not get through to Gmail:

TXT v=spf1 ip4:165.227.176.23 ip6:2604:a880:800:a1::126e:6001 -all

Links