Project:Infrastructure/SPF

This guide Article description::provides documentation on how and why Gentoo utilizes Sender Policy Framework. For instructions on how to use SPF as a developer, see the documentation.

Background
Sender Policy Framework (SPF) is a way to fight return-path address forgery and makes it easier to identify spoofed addresses. It is NOT a spam fighting tool in and of itself. The technology is merely a way to stop one loophole spammers use: source address spoofing.

SPF uses DNS to give mail administrators a way to tell other mail administrators what MTAs are allowed to send mail for their particular domain. Essentially, SPF allows us to say, "hey, here's the mail servers that send mail for gentoo.org"

Other mail administrators can then use that information to make their own decisions about what to do with mail that does or does not come from one of those servers.

Gentoo.org
For Gentoo, our SPF record is currently:

Which breaks down as:


 * : Use the first version of SPF.
 * : Anything that is listed as an MX record for gentoo.org is OK.
 * : Any host that ends in gentoo.org is OK (requires a PTR record to be in place).
 * : SPF macro to check the sending localuser and server against a more specific SPF record.
 * : If you receive an email from an MTA not on this list, please treat it neutrally (i.e. do not make decisions based solely on this fact).

The  is intended to be a transitional phase, with the ultimate goal being to move to   or even , which are more definitive.

Some people have objected to the fact that SpamAssassin adds ~1 to the overall spam score for  records. SPF is a tool and, like any other tool, people can do smart things with it and they can do stupid things with it. This is not saying the SA developers are stupid -- merely that they've chosen to use the tool a certain way that conflicts with what the SPF standard calls for. As you can tell from the SA test name (SPF_NEUTRAL), SPF calls for records using  to treat MTAs sending mail on behalf of that domain neutrally. SPF should not be faulted if SA chooses to go another route.

SA provides users with ways of overriding or ignoring this score on a per-user basis if they wish.

Finally, it is possible to send a mail From: a gentoo.org email address using a non gentoo.org SMTP server and not run afoul of SA's SPF_NEUTRAL scoring. You can see an example here:

which shows a mythical developer sending an email  using his gmail account. Note that the SA score is actually reduced due to SPF in this particular case.

Additionally, as has been the case for months, we allow developers to relay (via aSMTP) their outbound gentoo.org mail through dev.gentoo.org if they so choose, which also works around the specific issue with SA.

Again, SPF is a tool. Nothing more, nothing less. All we do is provide information to other mail administrators. How they decide to use it is up to them.