summaryrefslogtreecommitdiffstats
path: root/tracker/Publish_an_SPF_policy_to_the_DNS_zone.mdwn
blob: a7bd78e08cbc0121a813c9f3a9d9f1fc9c18330f (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
We need to create a new subdomain `outgoing.fripost.org` which A and
AAAA records point to machines currently serving as outgoing SMTP
servers. Then we would add the following records to the DNS zone
([RFC 4408 section 3.1.1](https://tools.ietf.org/html/rfc4408#section-3.1.1)
recommends both SPF and TXT records, with identical content.):

    outgoing.fripost.org IN SPF "v=spf1 a ~all"
    outgoing.fripost.org IN TXT "v=spf1 a ~all"
    fripost.org          IN SPF "v=spf1 redirect=outgoing.fripost.org"
    fripost.org          IN TXT "v=spf1 redirect=outgoing.fripost.org"

That essentially means whenever someone receives a message from a
`@fripost.org` address, we can say the address hasn't been spoofed (or
been spoofed by another fripost member) if the message was originating
from `outgoing.fripost.org` (i.e., was sent from the webmail, the Mail
Submission Agent, or was the target of an alias or subscribed on a
list). Otherwise, things are like there wasn't an SPF policy. With that
information at hand, the recipient may decide to classify the message as
SPAM or HAM for instance.

If we were to disallow (we probably aren't) messages from `@fripost.org`
addresses to be sent from anything else than what `outgoing.fripost.org`
points to, we could replace the trailing `~all` (softfail) by `-all`
(fail).

Having an SPF policy for Fripost is also useful for domains using
fripost.org as MX:es. For instance, to allow `@example.org` messages to
be sent from either `fripost.org`'s outgoing machines (without knowing
what they are a priori, therefore the SPF policy is copied) or
`example.org`'s A/AAAA records, but nothing else:

    example.org IN SPF "v=spf1 ?include:fripost.org a -all"
    example.org IN TXT "v=spf1 ?include:fripost.org a -all"

Hopefully one day we'll have DNSSEC, defeating DNS-spoofing. The the
[qualifier](https://tools.ietf.org/html/rfc4408#section-5.2) could be
changed to something tighter:

    example.org IN SPF "v=spf1 include:fripost.org a -all"
    example.org IN TXT "v=spf1 include:fripost.org a -all"

Here too the default action `-all` (fail) could be replaced by `~all`
(softfail) to allow mails from `@example.org` addresses to be sent from
other locations, but without asserting they aren't spoofed in that case.

If `example.org`'s has no A/AAAA records, or if the machine they point
to are not supposed to relay mails to the outside, one may prefer to
merely copy our policy:

    example.org IN SPF "v=spf1 redirect=outgoing.fripost.org"
    example.org IN TXT "v=spf1 redirect=outgoing.fripost.org"

References: RFCs [4408](https://tools.ietf.org/html/rfc4408) and
[6652](https://tools.ietf.org/html/rfc6652); See also the
[Wikipedia page](https://en.wikipedia.org/wiki/Sender_Policy_Framework).