Sender Policy Framework (SPF) allows domain owners to state in their DNS records which IP addressess should be allowed to send mails from their domain. This will prevent spammers from spoofing the
If your ISP blocks incoming traffic on port 25 and relays all mail to you through their own mail server, SPF will not work.
First, domain owners have to create a special
TXT DNS record. Then an SPF-enabled MTA can read this and if the mail originates from a server that is not described in the SPF record the mail can be rejected. An example entry could look like this:
domain.tld. IN TXT "v=spf1 a mx ptr -all"
-all means to reject all mail by default but allow mail from the
mx ) and
ptr ) DNS records. For more info consult further resources below.
If you relay outgoing mail through your ISP you will have to add:
Apparently there are now a few different SPF-related packages in portage:
All seem well used implementations.
If you are on an IP address whose reverse DNS lookup is not correct or is not possible to configure, then you may encounter issues with the perl implementation, as it seems to insist on reverse DNS lookups.
Apparently old/outdated info based on perl implementation
grab the spf.pl with:
cp postfix-<version>/examples/smtpd-policy/spf.pl /usr/local/bin/
The spf.pl coming with Postfix around v2.1 is slightly buggy so find and uncomment the following line:
push @HANDLERS, "sender_permitted_from"; use Mail::SPF::Query; . Furthermore in about line 199 substitute
comment . Alternatively you can download a development version .
This Perl script also needs some Perl libraries that are not in portage but it is still quite simple to install them:
emerge Mail-SPF-Query Net-CIDR-Lite Sys-Hostname-Long
Now that we have everything in place all we need is to configure Postfix to use this new policy.
policy-spf unix - n n - - spawn
user=nobody argv=/usr/bin/perl /usr/local/bin/spf.pl
Now add the SPF check in main.cf . Properly configured SPF should do no harm so we could check SPF for all domains:
# (Under smtpd_recipient_restrictions add:)
If you're experiencing problems with SPF, e.g. when using
fetchmail , you might want to enable SPF for certain domains only.
A restart or reload may be required to synchronize this new record to the secondary servers and propagated through the DNS system. Once the record is visible in the DNS system, it will begin to be used. Keep this in mind if testing fails, check the domain's TXT record(s).
dig domain.tld txt
Or, the same command using a specific DNS server.
dig @some.dns.server.tld domain.tld txt