From Gentoo Wiki
Jump to:navigation Jump to:search

This guide provides documentation on how and why Gentoo utilizes Sender Policy Framework. For instructions on how to use SPF as a developer, see the documentation.

SPF for


Sender Policy Framework (SPF) is a way to fight return-path address forgery and makes it easier to identify spoofed addresses. It is NOT a spam fighting tool in and of itself. The technology is merely a way to stop one loophole spammers use: source address spoofing.

SPF uses DNS to give mail administrators a way to tell other mail administrators what MTAs are allowed to send mail for their particular domain. Essentially, SPF allows us to say, "hey, here's the mail servers that send mail for"

Other mail administrators can then use that information to make their own decisions about what to do with mail that does or does not come from one of those servers.

For Gentoo, our SPF record is currently:

CODE SPF record
v=spf1 mx ptr include:%{l}.%{o} ?all

Which breaks down as:

Use the first version of SPF.
Anything that is listed as an MX record for is OK .
Any host that ends in is OK (requires a PTR record to be in place).
SPF macro to check the sending localuser and server against a more specific SPF record.
If you receive an email from an MTA not on this list, please treat it neutrally (i.e. do not make decisions based solely on this fact).

The ?all is intended to be a transitional phase, with the ultimate goal being to move to ~all or even -all, which are more definitive.

Some people have objected to the fact that SpamAssassin adds ~1 to the overall spam score for ?all records. SPF is a tool and, like any other tool, people can do smart things with it and they can do stupid things with it. This is not saying the SA developers are stupid -- merely that they've chosen to use the tool a certain way that conflicts with what the SPF standard calls for. As you can tell from the SA test name (SPF_NEUTRAL), SPF calls for records using ?all to treat MTAs sending mail on behalf of that domain neutrally. SPF should not be faulted if SA chooses to go another route.

SA provides users with ways of overriding or ignoring this score on a per-user basis if they wish.

Finally, it is possible to send a mail From: a email address using a non SMTP server and not run afoul of SA's SPF_NEUTRAL scoring. You can see an example here:

CODE Sending an email From: a address using a gmail account
Received: from localhost (localhost [])
        by (Postfix) with ESMTP id 7BE6EE84021
        for <>; Wed,  8 Nov 2006 14:48:57 +0000 (UTC)
X-Spam-Score: -2.546
X-Spam-Status: No, score=-2.546 required=5.5 tests=[AWL=0.054,
        BAYES_00=-2.599, SPF_PASS=-0.001]
Received: from ([])
        by localhost ( []) (amavisd-new, port 10024)
        with ESMTP id x00PknmR5qfc for <>;
        Wed,  8 Nov 2006 14:48:11 +0000 (UTC)
Received: from ( [])
        by (Postfix) with ESMTP id 867C6E84022
        for <>; Wed,  8 Nov 2006 14:48:06 +0000 (UTC)
Received: by with SMTP id l23so207071nfc
        for <>; Wed, 08 Nov 2006 06:48:05 -0800 (PST)
Received: by with SMTP id b10mr2288936nfi.1162997285044;
        Wed, 08 Nov 2006 06:48:05 -0800 (PST)
Received: by with HTTP; Wed, 8 Nov 2006 06:48:04 -0800 (PST)
Message-ID: <>
Date: Wed, 8 Nov 2006 08:48:04 -0600
Subject: check spam scores

which shows a mythical developer sending an email From: using his gmail account. Note that the SA score is actually reduced due to SPF in this particular case.

Additionally, as has been the case for months, we allow developers to relay (via aSMTP) their outbound mail through if they so choose, which also works around the specific issue with SA.

Again, SPF is a tool. Nothing more, nothing less. All we do is provide information to other mail administrators. How they decide to use it is up to them.

This page is based on a document formerly found on our main website
The following people contributed to the original document: klieber
They are listed here because wiki history does not allow for any external attribution. If you edit the wiki article, please do not add yourself here; your contributions are recorded on each article's associated history page.