This guide documents some of the reasons why (and how) Gentoo utilizes SPF. For instructions on how to use SPF as a developer, see the documentation.
SPF for gentoo.org
Sender Policy Framework (SPF) is a way to fight return-path address forgery and makes it easier to identify spoofed addresses. It is NOT a spam fighting tool in and of itself. The technology is merely a way to stop one loophole spammers use: source address spoofing.
SPF uses DNS to give mail administrators a way to tell other mail administrators what MTAs are allowed to send mail for their particular domain. Essentially, SPF allows us to say, "hey, here's the mail servers that send mail for gentoo.org"
Other mail administrators can then use that information to make their own decisions about what to do with mail that does or does not come from one of those servers.
For Gentoo, our SPF record is currently:
Which breaks down as:
- Use the first version of SPF
- Anything that is listed as an MX record for gentoo.org is OK ptr: any host that ends in gentoo.org is OK. (requires a PTR record to be in place)
- If you receive an email from an MTA not on this list, please treat it neutrally. (i.e. do not make decisions based solely on this fact)
?all is intended to be a transitional phase, with the ultimate goal being to move to
~all or even
-all , which are more definitive.
Some people have objected to the fact that SpamAssassin adds ~1 to the overall spam score for
?all records. SPF is a tool and, like any other tool, people can do smart things with it and they can do stupid things with it. This is not saying the SA developers are stupid -- merely that they've chosen to use the tool a certain way that conflicts with what the SPF standard calls for. As you can tell from the SA test name (SPF_NEUTRAL), SPF calls for records using
?all to treat MTAs sending mail on behalf of that domain neutrally. SPF should not be faulted if SA chooses to go another route.
SA provides users with ways of overriding or ignoring this score on a per-user basis if they wish.
Finally, it is possible to send a mail From: a gentoo.org email address using a non gentoo.org SMTP server and not run afoul of SA's SPF_NEUTRAL scoring. You can see an example here:
which shows a mythical developer sending an email
From: firstname.lastname@example.org using his gmail account. Note that the SA score is actually reduced due to SPF in this particular case.
Additionally, as has been the case for months, we allow developers to relay (via aSMTP) their outbound gentoo.org mail through dev.gentoo.org if they so choose, which also works around the specific issue with SA.
Again, SPF is a tool. Nothing more, nothing less. All we do is provide information to other mail administrators. How they decide to use it is up to them.
We would like to thank the following authors and editors for their contributions to this guide: