From Gentoo Wiki
Jump to:navigation Jump to:search

Sender Policy Framework (SPF) allows domain owners to state in their DNS records which IP addressess should be allowed to send mails from their domain. This will prevent spammers from spoofing the Return-Path.

If your ISP blocks incoming traffic on port 25 and relays all mail to you through their own mail server, SPF will not work.



First, domain owners have to create a special TXT DNS record. Then an SPF-enabled MTA can read this and if the mail originates from a server that is not described in the SPF record the mail can be rejected. An example entry could look like this:

CODE Example SPF record
domain.tld.  IN TXT  "v=spf1 a mx ptr -all"

The -all means to reject all mail by default but allow mail from the A( a ), MX( mx ) and PTR( ptr ) DNS records. For more info consult further resources below.

If you relay outgoing mail through your ISP you will have to add: .


Apparently there are now a few different SPF-related packages in portage:

  • perl-based
    • dev-perl/Mail-SPF
    • dev-perl/Mail-SPF-Query
  • python-based
    • dev-python/pyspf
    • mail-filter/pypolicyd-spf
  • C-based
    • mail-filter/libspf2

All seem well used implementations.

If you are on an IP address whose reverse DNS lookup is not correct or is not possible to configure, then you may encounter issues with the perl implementation, as it seems to insist on reverse DNS lookups.

Apparently old/outdated info based on perl implementation

grab the with:

root #cp postfix-<version>/examples/smtpd-policy/ /usr/local/bin/
The coming with Postfix around v2.1 is slightly buggy so find and uncomment the following line: push @HANDLERS, "sender_permitted_from"; use Mail::SPF::Query; . Furthermore in about line 199 substitute comemnt with comment . Alternatively you can download a development version .

This Perl script also needs some Perl libraries that are not in portage but it is still quite simple to install them:

root #emerge Mail-SPF-Query Net-CIDR-Lite Sys-Hostname-Long

Now that we have everything in place all we need is to configure Postfix to use this new policy.

FILE master.cfuse SPF
policy-spf  unix  -       n       n       -       -       spawn
   user=nobody argv=/usr/bin/perl /usr/local/bin/

Now add the SPF check in . Properly configured SPF should do no harm so we could check SPF for all domains:

FILE main.cfuse SPF
# (Under smtpd_recipient_restrictions add:)
check_policy_service unix:private/policy-spf
If you're experiencing problems with SPF, e.g. when using fetchmail , you might want to enable SPF for certain domains only.


A restart or reload may be required to synchronize this new record to the secondary servers and propagated through the DNS system. Once the record is visible in the DNS system, it will begin to be used. Keep this in mind if testing fails, check the domain's TXT record(s).

user $dig domain.tld txt

Or, the same command using a specific DNS server.

user $dig @some.dns.server.tld domain.tld txt