Difference between revisions of "SPF"
Jump to navigation
Jump to search
(Created page with "{{fmt/title|SPF: Sender Policy Framework}} ==About== SPF (Sender Policy Framework) is an anti-spam protocol in which a DNS record specifies what IP addresses are allowed t...") |
|||
| (5 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
| + | [[category:anti-spam]] | ||
| + | [[category:email/server/configuration]] | ||
{{fmt/title|SPF: Sender Policy Framework}} | {{fmt/title|SPF: Sender Policy Framework}} | ||
==About== | ==About== | ||
| − | [[SPF]] (Sender Policy Framework) is an anti-spam protocol in which a DNS record specifies what IP addresses are allowed to send messages with a "from" address coming from that domain. The IP addresses may be specified literally (numerically) or | + | [[SPF]] (Sender Policy Framework) is an anti-spam protocol in which a DNS record specifies what IP addresses are allowed to send messages with a "from" address coming from that domain. The IP addresses may be specified literally (numerically, using [[/term/cidr-length|CIDR address-range syntax]]) or as domain-names. SPF is defined in [https://www.rfc-editor.org/rfc/rfc7208.html RFC 7208] ([https://datatracker.ietf.org/doc/draft-ietf-spfbis-4408bis/21/ status]). |
===DNS Configuration=== | ===DNS Configuration=== | ||
Discussion of the DNS record format is in [https://www.rfc-editor.org/rfc/rfc7208.html#section-3 Section 3]. SPF uses TXT records; there must be only one SPF record per domain or subdomain. A record's contents must start with "<code>v=spf1</code>" in order to be recognized as an SPF record. | Discussion of the DNS record format is in [https://www.rfc-editor.org/rfc/rfc7208.html#section-3 Section 3]. SPF uses TXT records; there must be only one SPF record per domain or subdomain. A record's contents must start with "<code>v=spf1</code>" in order to be recognized as an SPF record. | ||
| − | The remainder of the contents consists of a | + | The remainder of the contents consists of a set of terms, formatted according to these nearly-indecipherable rules: |
| − | + | {{l/sub|term}}s = *( 1*SP ( directive / modifier ) ) | |
directive = [ qualifier ] mechanism | directive = [ qualifier ] mechanism | ||
| − | + | {{l/sub|qual}}ifier = "+" / "-" / "?" / "~" | |
| − | + | mechanism = ( all / include / a / mx / ptr / ip4 / ip6 / exists ) | |
| − | + | modifier = redirect / explanation / unknown-modifier | |
unknown-modifier = name "=" macro-string | unknown-modifier = name "=" macro-string | ||
; where name is not any known modifier | ; where name is not any known modifier | ||
name = ALPHA *( ALPHA / DIGIT / "-" / "_" / "." ) | name = ALPHA *( ALPHA / DIGIT / "-" / "_" / "." ) | ||
| + | |||
| + | This seems to translate to "one or more terms, where each term starts with either {a ''qualifier'' followed by a ''directive'' (which is a qualifier plus a mechanism)} or a ''modifier'', and multiple terms are separated by spaces". | ||
| + | |||
| + | Tentatively, it's best to think of "modifiers" as a small set of additional directives. It's noted in that they're intended to allow for future expansion | ||
| + | ==Examples== | ||
| + | This config seems to be at least partly functional: | ||
| + | '''TXT''' v=spf1 mx mx:mail.vbz.net a a:mail.vbz.net ~all | ||
| + | |||
| + | This config does not get through to Gmail: | ||
| + | '''TXT''' v=spf1 ip4:165.227.176.23 ip6:2604:a880:800:a1::126e:6001 -all | ||
==Links== | ==Links== | ||
* {{wikipedia|Sender Policy Framework}} | * {{wikipedia|Sender Policy Framework}} | ||
* [https://www.rfc-editor.org/rfc/rfc7208.html RFC 7208] ([https://datatracker.ietf.org/doc/draft-ietf-spfbis-4408bis/21/ status]) | * [https://www.rfc-editor.org/rfc/rfc7208.html RFC 7208] ([https://datatracker.ietf.org/doc/draft-ietf-spfbis-4408bis/21/ status]) | ||
Latest revision as of 20:26, 21 December 2022
|
SPF: Sender Policy Framework
|
About
SPF (Sender Policy Framework) is an anti-spam protocol in which a DNS record specifies what IP addresses are allowed to send messages with a "from" address coming from that domain. The IP addresses may be specified literally (numerically, using CIDR address-range syntax) or as domain-names. SPF is defined in RFC 7208 (status).
DNS Configuration
Discussion of the DNS record format is in Section 3. SPF uses TXT records; there must be only one SPF record per domain or subdomain. A record's contents must start with "v=spf1" in order to be recognized as an SPF record.
The remainder of the contents consists of a set of terms, formatted according to these nearly-indecipherable rules:
terms = *( 1*SP ( directive / modifier ) )
directive = [ qualifier ] mechanism qualifier = "+" / "-" / "?" / "~" mechanism = ( all / include / a / mx / ptr / ip4 / ip6 / exists ) modifier = redirect / explanation / unknown-modifier unknown-modifier = name "=" macro-string ; where name is not any known modifier
name = ALPHA *( ALPHA / DIGIT / "-" / "_" / "." )
This seems to translate to "one or more terms, where each term starts with either {a qualifier followed by a directive (which is a qualifier plus a mechanism)} or a modifier, and multiple terms are separated by spaces".
Tentatively, it's best to think of "modifiers" as a small set of additional directives. It's noted in that they're intended to allow for future expansion
Examples
This config seems to be at least partly functional:
TXT v=spf1 mx mx:mail.vbz.net a a:mail.vbz.net ~all
This config does not get through to Gmail:
TXT v=spf1 ip4:165.227.176.23 ip6:2604:a880:800:a1::126e:6001 -all