Project:Infrastructure/SPF

From Gentoo Wiki
Jump to:navigation Jump to:search

This guide provides documentation on how and why Gentoo utilizes Sender Policy Framework. For instructions on how to use SPF as a developer, see the documentation.

SPF for gentoo.org

Background

Sender Policy Framework (SPF) is a way to fight return-path address forgery and makes it easier to identify spoofed addresses. It is NOT a spam fighting tool in and of itself. The technology is merely a way to stop one loophole spammers use: source address spoofing.

SPF uses DNS to give mail administrators a way to tell other mail administrators what MTAs are allowed to send mail for their particular domain. Essentially, SPF allows us to say, "hey, here's the mail servers that send mail for gentoo.org"

Other mail administrators can then use that information to make their own decisions about what to do with mail that does or does not come from one of those servers.

Gentoo.org

For Gentoo, our SPF record is currently:

CODE gentoo.org SPF record
v=spf1 mx ptr include:%{l}.%{o}.spf.gentoo.org. ?all

Which breaks down as:

spf1
Use the first version of SPF.
mx
Anything that is listed as an MX record for gentoo.org is OK .
ptr
Any host that ends in gentoo.org is OK (requires a PTR record to be in place).
include:%{l}.%{o}.spf.gentoo.org.
SPF macro to check the sending localuser and server against a more specific SPF record.
?all
If you receive an email from an MTA not on this list, please treat it neutrally (i.e. do not make decisions based solely on this fact).

The ?all is intended to be a transitional phase, with the ultimate goal being to move to ~all or even -all, which are more definitive.

Some people have objected to the fact that SpamAssassin adds ~1 to the overall spam score for ?all records. SPF is a tool and, like any other tool, people can do smart things with it and they can do stupid things with it. This is not saying the SA developers are stupid -- merely that they've chosen to use the tool a certain way that conflicts with what the SPF standard calls for. As you can tell from the SA test name (SPF_NEUTRAL), SPF calls for records using ?all to treat MTAs sending mail on behalf of that domain neutrally. SPF should not be faulted if SA chooses to go another route.

SA provides users with ways of overriding or ignoring this score on a per-user basis if they wish.

Finally, it is possible to send a mail From: a gentoo.org email address using a non gentoo.org SMTP server and not run afoul of SA's SPF_NEUTRAL scoring. You can see an example here:

CODE Sending an email From: a gentoo.org address using a gmail account
Return-Path: john.doe@gmail.com
Delivered-To: john@doe.com
Received: from localhost (localhost [127.0.0.1])
        by mail.domain.com (Postfix) with ESMTP id 7BE6EE84021
        for <john@doe.com>; Wed,  8 Nov 2006 14:48:57 +0000 (UTC)
X-Spam-Score: -2.546
X-Spam-Level:
X-Spam-Status: No, score=-2.546 required=5.5 tests=[AWL=0.054,
        BAYES_00=-2.599, SPF_PASS=-0.001]
Received: from mail.domain.com ([127.0.0.1])
        by localhost (mail.domain.com [127.0.0.1]) (amavisd-new, port 10024)
        with ESMTP id x00PknmR5qfc for <john@doe.com>;
        Wed,  8 Nov 2006 14:48:11 +0000 (UTC)
Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.189])
        by mail.domain.com (Postfix) with ESMTP id 867C6E84022
        for <john@doe.com>; Wed,  8 Nov 2006 14:48:06 +0000 (UTC)
Received: by nf-out-0910.google.com with SMTP id l23so207071nfc
        for <john@doe.com>; Wed, 08 Nov 2006 06:48:05 -0800 (PST)
Received: by 10.48.254.10 with SMTP id b10mr2288936nfi.1162997285044;
        Wed, 08 Nov 2006 06:48:05 -0800 (PST)
Received: by 10.49.39.10 with HTTP; Wed, 8 Nov 2006 06:48:04 -0800 (PST)
Message-ID: <c6bb36ba0611080648pece99bds31207e7d137618a8@mail.gmail.com>
Date: Wed, 8 Nov 2006 08:48:04 -0600
From: johndoe@gentoo.org
Sender: john.doe@gmail.com
To: john@doe.com
Subject: check spam scores

which shows a mythical developer sending an email From: johndoe@gentoo.org using his gmail account. Note that the SA score is actually reduced due to SPF in this particular case.

Additionally, as has been the case for months, we allow developers to relay (via aSMTP) their outbound gentoo.org mail through dev.gentoo.org if they so choose, which also works around the specific issue with SA.

Again, SPF is a tool. Nothing more, nothing less. All we do is provide information to other mail administrators. How they decide to use it is up to them.


This page is based on a document formerly found on our main website gentoo.org.
The following people contributed to the original document: klieber
They are listed here because wiki history does not allow for any external attribution. If you edit the wiki article, please do not add yourself here; your contributions are recorded on each article's associated history page.