Sender Policy Framework – Option to Battle Spam

By Blane Warrene
We teamed up with SiteGround
To bring you the latest from the web and tried-and-true hosting, recommended for designers and developers. SitePoint Readers Get Up To 65% OFF Now

The Sender Policy Framework (spf) was developed by Meng Weng Wong as a fork of Hadmut Danisch’s RMX and Gordon Fecyk’s DMP – both former efforts to battle email spam based for the most part on domain forging.

Wong is the founder and CTO of and in 2004 and Microsoft jointly submitted a draft for RFC status to the Internet Engineering Task Force (IETF) for spf and Sender ID (developed by Microsoft). There was controversy around Microsoft’s Sender ID as they filed for patents on part of the process – which would potentially hinder it from becoming a global open standard. The IETF abandoned consideration of the joint proposal for RFC status in late 2004. Microsoft has since re-submitted a new draft of Sender ID to the IETF.

SPF for the time being is back on its own – and it is believed to be in use by more than one million domains.

It seeks to battle spam by rejecting emails where the domain (namely a domain(s) under your management) is forged. It is done through DNS by specifying in DNS zones the only authorized hosts that can send mail from your domain and reconciling them to a public IP address.

Thus, someone forges the domain name and it is rejected as it does not match any existing approved domains in DNS. Similar to pure spam tools, there is whitelisting for exceptions and some control over whether the mail discovered to be forged is bounced, tagged or allowed through. This latter option helps with implementation testing prior to any serious use in production.

There is some debate in regard to using spf if SMTP authentication (SASL) should be mandatory. I have setup systems that use POP before SMTP as well as SASL – and could not imagine not using any sort of outgoing restrictions – however – not every environment is ready for SMTP authentication. That part is up to the system administrator and users.

A very basic spf DNS record would look like this :

“v=spf1 a ~all”

This is spf at its elementary level for basic setups. This addition to your dns record states the domain is the A record and also sends mail out from In this case the DNS zone did not have an MX record.

It does of course support standard scenarios, such as where MX records exist and a third-party may also send mail from your domain (i.e. a e-newsletter service like sparklist).

“v=spf1 mx ~all”

This entry states mail sent through the MX record of your domain as well as originating from (an email newsletter) is legitimate.

The record can continue to grow by adding additional hosts and MX records to account for all hosts that can send mail for a specific domain.

Adding an spf record to dns is straightforward. In BIND environments it is added into the zone file as: IN TEXT “v=spf1 mx ~all”

It is added to Windows DNS as an “other new record” and selected as a text record.

Before changing DNS though, you also have to ensure your MTA supports it. Of the three most popular open source MTAs, Postfix comes readily prepared for spf with an included plug-in called libspf2 ready to go. Sendmail is relatively straightforward to update for the process, with Qmail requiring easier than usual patching (surprise!).

For those using Exim – there is an spf how to also.

We teamed up with SiteGround
To bring you the latest from the web and tried-and-true hosting, recommended for designers and developers. SitePoint Readers Get Up To 65% OFF Now
  • tcwatts

    You have an error in the first link.

  • jiggy

    Arg. I’m a long time computer user and have even
    worked some high level IT positions. Unfortuantely not
    much exposure to linux, but I have certainly dabbled in
    FreeBSD for webservers (apache/mysql/php) Lots of
    phpnuke, phpbb, and a few others at the moment.
    I always thought a blog that could be e-mailed would be
    sweet and lo and behold i’ve found EasyMoBlog. Kick ass.
    So I’ve just purchased a Laptop and converted my old PC
    to a FreeBSD server. I had a real heck of a time
    getting FreeBSD 5.3-release installed, not to mention
    (#$@*&% apache, $(*##(#*$& mysql and ($@#*&%#@(*& PHP4.

    I have the following installed:
    mod_php4-4.3.9, along with
    php4-openssl-4.3.9 and of course who can forget


    mysql 4.0.21 (don’t get me started on this)

    Mostly installed via Packages but i also have two
    ports; mod_php4 and php4-gd

    I have perl 5.6 and 5.8 installed along witha bunch of
    other crap that probably doesn’t matter.

    I’m just trying to install EasyMoBlog 5.1 but I can’t quite get there no matter how many hours and bookmarks and attempts I make. My error is: You need to activate session support in your PHP configuration

    I’ve spent literally days tring to figure out how to
    enable sessions in PHP, how to reinstall PHP so that I
    have –with_sessions_enabled, etc etc.

    I need a buddy. I need some support. I think I need
    someone to tell me to reinstall from fresh and follow a
    certain webpage or a how-to to the letter. I’m better
    at learning by example and by doing, than by sitting
    down and reading the book, “Build Interactive Online
    Websites using FreeBSD, Apache, mySQL and PHP.” Plus
    I found a windows rootkit in one of the rar’d ebooks I
    downloaded off of usenet.

  • Ack! Thanks for catching that! Fixed.