SPF detailed 2

Source: Internet
Author: User
Tags domain name server mx record sender policy framework

What is SPF? The SPF here is not a sunscreen index, but the sender Policy Framework. Translation is the originator of the policy framework, relatively awkward, usually directly referred to as SPF. SPF is a DNS-related technology whose contents are written in the DNS TXT type record. The purpose of the MX record is to indicate to the sender what the mail server for a domain name is. The role of SPF, in contrast to MX, indicates to the recipient that which mail servers are sent via a domain name endorsement. As can be seen from the definition, the role of SPF is mainly anti-spam, mainly for those who forged the domain name of the sender of Spam mail. For example: When the Coremail mail server receives a message claiming that the sender is [email protected], then does it really gmail.com the mail server? Then we can query the SPF record of gmail.com. some knowledge about SPFIn the current market, many mail systems and vendors have started to support SPF, such as 163.com, then how to get the SPF value of 163.com? In the CMD environment, type: Nslookupset type=txt163.com will get the following result: 163.com text = "V=spf1 Include:spf.163.com-all" Where: = "v=spf1 include: Spf.163.com-all "is the SPF value of 163.com. This data shows which of the 163.com valid legitimate servers are! So how do we create it? Enter the domain name resolution create a TXT record and fill in the correct SPF data to take effect. Enable the SPF feature in mdaemon7.x and make the appropriate adjustments. In addition, the 8.x version adds a new Domainkey signature, but MDaemon has automatically created it for you. also give everyone a Web site, very practicalhttp://www.microsoft.com/mscorp/safety/content/technologies/senderid/wizard/This URL is a wizard website that creates SenderID, He can help you create a SenderID value. SenderID (Sender identification technology). SPF (senderpolicyframework, Sender Policy framework). SenderID technology, like SPF, is a technology that authenticates e-mail sender identities with IP (Internet Protocol) addresses. Introduction to SPF SPF is the sender policy framework, hoping to become an anti-counterfeiting standard to prevent fake email addresses. This article provides a brief introduction to SPF and introduces some of its advantages and disadvantages. SPF was born in 2003, and its creator Meng Weng Wong combined the advantages of reverse MX Domain name resolution (Reverse MX) and DMP (designated Mailer Protocol) for SPF life. SPF uses the Return-path (or mail from) field in the E-mail header information, because all MTA can process messages that contain these fields. But Microsoft has also proposed a method called PRA (purported Responsible Address). PRA corresponds to the address of the end user used by MUA (for example, Thunderbird). This way, when we combine SPF with PRA, we can get the so-called "Sender ID". Sender ID allows recipients of e-mail to verify the legality of the message by checking mail from and PRA.  It is argued that the MAIL from check is performed by the MTA, while the PRA check is done by MUA. In fact, SPF requires DNS to work in a certain way. That is, you must provide the so-called "reverse MX Resolution" records that are used to resolve the sending host for messages from a given domain name. This does not work with the MX record currently in use, which is used to resolve the host that receives the message for a given domain name. What are the requirements for SPF? To protect your system with SPF, you must:Configure DNS, add TXT Records, and hold information about SPF queries. Configure your e-mail system (qmail, SendMail) to use SPF, which means verifying every incoming message on the server. The first step above is to make adjustments on the domain name server to which the mail server belongs, and in the next section we will discuss the details of this record. The first thing you need to determine is the syntax used by your domain name server (bind,djbdns). But don't worry, SPF's official website provides a handy guide to how you can add records. TXT record for SPFThe SPF record is included in a TXT record in the following format: V=SPF1 [[Pre] type [ext]] ... [MoD]

The meaning of each parameter is shown in the following table:

Parameters Describe
V=spf1 The version of SPF. If you use the Sender ID, this field should be V=SPF2
Pre The return value when the match is defined.
Possible return values include the following:
return value Describe
+ The default value. Pass when the test is complete.
- Indicates that the test failed. This value is usually-all, indicating that no other match has occurred.
~ Indicates a soft failure, usually indicating that the test was not completed.
? Express a noncommittal. This value is also usually used when the test is not completed.
Type Defines the type of validation test used.
Possible values include the following:
Candidate values Describe
Include Tests that contain a given domain name are written in include:domain form.
All Terminates the test sequence. For example, if the option is-all, then reaching this record means that the test failed. However, if you are unsure, you can use "? All" to indicate that the test will be accepted.
Ip4 Use IPV4 for validation. This can be used in the form of Ip4:ipv4 or IP4:IPV4/CIDR. It is recommended to use this parameter to reduce the load on the domain name server.
Ip6 Use IPV6 for validation.
A Use a domain name for validation. This will cause a one-RR query to be made to the domain name server. Can be used in the form of A:domain, A:DOMAIN/CIDR or A/CIDR.
Mx Use DNS MX RR for authentication.  The MX RR defines the receiving MTA, which may be different from the sender's MTA, and the MX-based test will fail. MX validation can be done in Mx:domain, MX:DOMAIN/CIDR, or Mx/cidr form.
Ptr The PTR RR for the domain name server is used for authentication. At this point, SPF uses PTR RR and reverse graph to query. If the host name returned is within the same domain name, the validation is passed. The notation for this parameter is Ptr:domain
Exist Verify the existence of the domain name. Can be written in exist:domain form.
Ext Defines an optional extension to the type. If this field is not available, then only a single record is used to inquire.
MoD This is the last type indication, as a correction value for the record.
Fixed value Describe
redirect Redirect the query, using the given domain name for the SPF record. Used in a redirect=domain manner.
Exp This record must be the last one, allowing a custom failure message to be given. In txt ' v=spf1 mx-all exp=getlost.example.com ' getlost in txt ' You is not ' authorized to send mail for the DOMA In "
Hey, man! I'm an ISP .The ISP implementation SPF may cause some trouble for users who are roaming (roaming), and the problem arises when these users are accustomed to using Pop-before-relay to process messages instead of SASL SMTP. Well, if you're an ISP plagued by spam and address spoofing, you'll have to consider your email strategy and start using SPF. here are a few steps you can consider. First set up your MTA to use SASL, for example, you can use it on ports 25 and 587. Tell your users that you have used this strategy (spf.pobox.com gives an example of a notification, see references). Give your users a grace period, that is, add your SPF record to the domain name server, but use "soft failure" (~all) instead of "failed" (-all). In this way, you protect your servers, your customers, and the world from Spam and other problems. There is a lot of information on the SPF official site, what are you waiting for? What's there to worry about?SPF is a perfect protection for deception. But it has a limitation: the traditional way of mail forwarding is no longer valid. You can't just accept the message from your MTA and simply resend it. You must rewrite the sending address. Common MTA patches can be found on the SPF Web site. In other words, if you add an SPF record to a domain name server, you'll have to update your MTA to send address rewriting, even if you haven't checked the SPF record yet. ConclusionYou may think that the implementation of SPF is a bit difficult to understand. But it's not complicated, and there's a good guide to help you with the conversion (see Reference). If you are bothered by spam, SPF will help you protect your domain from fake email addresses, all you have to do is add a line of text to your domain name server and configure your email server. There are many advantages to SPF. However, as I have said to some people, this is not attainable overnight, and the benefits of SPF will be manifested by the accumulation of time, which can be clearly seen when others use it. I also mentioned Sender ID, which is related to SPF, but I did not explain it. Maybe you already know the reason, Microsoft's strategy has always been so---software patents. In the reference, you can see openspf.org's position statement for Sender ID. I just want to give you a brief description of SPF. If you are interested in this and want to learn more, you can read the references and the content of this article comes from here. Troubleshoot SPF check issues with the MT send email notification to GmailBlog system has a very useful function is to send message message notification: But sent to Gmail mailbox notification letter will be marked as spam. The reason is that the Spf:sender Policy Framework (SPF) to do sender verification, and the Mt set is the sender of the message is the message address, and the return address is the MT system is located on the server's mailbox. Received-spf:neutral (google.com: is neither permitted nor denied by domain of [email protected]) my web server There is no mail system on it. So it is not possible to pass SPF check, there is strict SPF check this is the reason that gmail relative spam less. How to fix it:1 Add mail system, set up MX record and so on, need to learn a lot of things; 2 The simplest is to send to the mail system does not support SPF verification, and then forwarded to Gmail, this time the return address has been forward mailbox: Received-spf:pass (google.com: Domain of ##### @yeah. NET designates as permitted sender) What is SPF? SPF is an abbreviation for the Sender Policy framework (sender policies) and is gradually becoming an anti-counterfeiting standard to prevent forgery of e-mail addresses. Your domain administrator or hosting company only needs to publish SPF records in the Domain Name System (DNS). These simple text records identify the authorized e-mail sending server (by listing the IP addresses of those servers). The e-mail receiving system checks whether the message is from a properly authorized e-mail sending server. Check the steps below, after the sender sends an e-mail message to the receiver, the mail receiving server receives the e-mail message and does the following: • Check which domain claims to have sent the message and check the DNS of the domain's SPF record. • Determine if the IP address of the sending server matches one of the published IP addresses in the SPF record. • Rate e-mails: If the IP address matches, the message is authenticated and a positive score is obtained. If the IP address does not match, the message cannot be authenticated and a negative score is obtained. These results are then applied to existing anti-spam filtering policies and heuristic filters. To add SPF settings to your mail server, refer to the Chicheng article: the Add an SPF record for your mail server " What is SPFis the sender Policy Framework. SPF prevents others from forging you to send emails, and is a solution for anti-counterfeiting messages. After you have defined your domain name's SPF record, the receiving party will determine whether the IP address you are connecting to is included in the SPF record, based on your SPF record, or if it is considered to be a correct message, otherwise it is considered a forged message. For more detailed information, please refer to RFC4408 (http://www.ietf.org/rfc/rfc4408.txt) How to increase SPF recordsVery simple, add a TXT record in DNS. Login http://www.openspf.org/wizard.html Enter your domain name in it, click Begin, and then automatically get some information about your domain name. A record of your domain name, the general choice is yes, because he may send mail. MX is generally also YES,MX server will have to return the letter and so on. PTR select No, officially recommended. A: Is there any other level two domain name? For example: bbs.extmail.org and www are not on a server, then fill in bbs.extmail.org. otherwise empty. MX: There are no other MX records in general. IP4: Do you have any other IP letters? Perhaps your SMTP server is independent, then fill in your IP address or network segment. Include: if it is possible to send a letter through an ISP, this has its own SPF record, then fill in the domain name of the ISP, for example: Sina.com~all: It means that except for the above, the others are not recognized. Yes, of course. OK, click Continue ..... An SPF record is automatically generated, such as extmail.org v=spf1 a MX ~all and below tells you how to add a extmail.org to your bind. In TXT "v=spf1 a mx ~all" Join your bind and then NDC reload. Check: DIG-T txt extmail.org article turn from: Xu blog (cool postman) http://www.chinaemail.com.cn/blog/content/459/

SPF detailed 2

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.