Difference between revisions of "SPF"
(Created page with "{{fmt/title|SPF: Sender Policy Framework}} ==About== SPF (Sender Policy Framework) is an anti-spam protocol in which a DNS record specifies what IP addresses are allowed t...") |
|||
(5 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
+ | [[category:anti-spam]] | ||
+ | [[category:email/server/configuration]] | ||
{{fmt/title|SPF: Sender Policy Framework}} | {{fmt/title|SPF: Sender Policy Framework}} | ||
==About== | ==About== | ||
− | [[SPF]] (Sender Policy Framework) is an anti-spam protocol in which a DNS record specifies what IP addresses are allowed to send messages with a "from" address coming from that domain. The IP addresses may be specified literally (numerically) or | + | [[SPF]] (Sender Policy Framework) is an anti-spam protocol in which a DNS record specifies what IP addresses are allowed to send messages with a "from" address coming from that domain. The IP addresses may be specified literally (numerically, using [[/term/cidr-length|CIDR address-range syntax]]) or as domain-names. SPF is defined in [https://www.rfc-editor.org/rfc/rfc7208.html RFC 7208] ([https://datatracker.ietf.org/doc/draft-ietf-spfbis-4408bis/21/ status]). |
===DNS Configuration=== | ===DNS Configuration=== | ||
Discussion of the DNS record format is in [https://www.rfc-editor.org/rfc/rfc7208.html#section-3 Section 3]. SPF uses TXT records; there must be only one SPF record per domain or subdomain. A record's contents must start with "<code>v=spf1</code>" in order to be recognized as an SPF record. | Discussion of the DNS record format is in [https://www.rfc-editor.org/rfc/rfc7208.html#section-3 Section 3]. SPF uses TXT records; there must be only one SPF record per domain or subdomain. A record's contents must start with "<code>v=spf1</code>" in order to be recognized as an SPF record. | ||
− | The remainder of the contents consists of a | + | The remainder of the contents consists of a set of terms, formatted according to these nearly-indecipherable rules: |
− | + | {{l/sub|term}}s = *( 1*SP ( directive / modifier ) ) | |
directive = [ qualifier ] mechanism | directive = [ qualifier ] mechanism | ||
− | + | {{l/sub|qual}}ifier = "+" / "-" / "?" / "~" | |
− | + | mechanism = ( all / include / a / mx / ptr / ip4 / ip6 / exists ) | |
− | + | modifier = redirect / explanation / unknown-modifier | |
unknown-modifier = name "=" macro-string | unknown-modifier = name "=" macro-string | ||
; where name is not any known modifier | ; where name is not any known modifier | ||
name = ALPHA *( ALPHA / DIGIT / "-" / "_" / "." ) | name = ALPHA *( ALPHA / DIGIT / "-" / "_" / "." ) | ||
+ | |||
+ | This seems to translate to "one or more terms, where each term starts with either {a ''qualifier'' followed by a ''directive'' (which is a qualifier plus a mechanism)} or a ''modifier'', and multiple terms are separated by spaces". | ||
+ | |||
+ | Tentatively, it's best to think of "modifiers" as a small set of additional directives. It's noted in that they're intended to allow for future expansion | ||
+ | ==Examples== | ||
+ | This config seems to be at least partly functional: | ||
+ | '''TXT''' v=spf1 mx mx:mail.vbz.net a a:mail.vbz.net ~all | ||
+ | |||
+ | This config does not get through to Gmail: | ||
+ | '''TXT''' v=spf1 ip4:165.227.176.23 ip6:2604:a880:800:a1::126e:6001 -all | ||
==Links== | ==Links== | ||
* {{wikipedia|Sender Policy Framework}} | * {{wikipedia|Sender Policy Framework}} | ||
* [https://www.rfc-editor.org/rfc/rfc7208.html RFC 7208] ([https://datatracker.ietf.org/doc/draft-ietf-spfbis-4408bis/21/ status]) | * [https://www.rfc-editor.org/rfc/rfc7208.html RFC 7208] ([https://datatracker.ietf.org/doc/draft-ietf-spfbis-4408bis/21/ status]) |
Latest revision as of 20:26, 21 December 2022
SPF: Sender Policy Framework
|
About
SPF (Sender Policy Framework) is an anti-spam protocol in which a DNS record specifies what IP addresses are allowed to send messages with a "from" address coming from that domain. The IP addresses may be specified literally (numerically, using CIDR address-range syntax) or as domain-names. SPF is defined in RFC 7208 (status).
DNS Configuration
Discussion of the DNS record format is in Section 3. SPF uses TXT records; there must be only one SPF record per domain or subdomain. A record's contents must start with "v=spf1
" in order to be recognized as an SPF record.
The remainder of the contents consists of a set of terms, formatted according to these nearly-indecipherable rules:
terms = *( 1*SP ( directive / modifier ) )
directive = [ qualifier ] mechanism qualifier = "+" / "-" / "?" / "~" mechanism = ( all / include / a / mx / ptr / ip4 / ip6 / exists ) modifier = redirect / explanation / unknown-modifier unknown-modifier = name "=" macro-string ; where name is not any known modifier
name = ALPHA *( ALPHA / DIGIT / "-" / "_" / "." )
This seems to translate to "one or more terms, where each term starts with either {a qualifier followed by a directive (which is a qualifier plus a mechanism)} or a modifier, and multiple terms are separated by spaces".
Tentatively, it's best to think of "modifiers" as a small set of additional directives. It's noted in that they're intended to allow for future expansion
Examples
This config seems to be at least partly functional:
TXT v=spf1 mx mx:mail.vbz.net a a:mail.vbz.net ~all
This config does not get through to Gmail:
TXT v=spf1 ip4:165.227.176.23 ip6:2604:a880:800:a1::126e:6001 -all