I have a question for anyone that has used SPF in their DNS and email
configuration on campus. (Stephen Bogdanski raised the issue May 2007)
Sender Policy Framework, formerly Sender Permitted From, is indirectly
supported by Exchange Server 2003 Service Pack 2. Exchange 2003
supports the Sender ID Framework specified by Microsoft which has as one
of its steps a lookup of the SPF entry in DNS for the domain of the
sending server. (note that Microsoft created conflicts and controversy
by linking Sender ID to SPF).
At KBS we are using Imail from Ipswitch which supports SPF directly, but
I know many departments on campus are using Exchange servers.
We have many users that configure their email clients to retrieve mail
from mail.msu.edu and send mail out through mail.msu.edu, but they set
the From: as <user>@kbs.msu.edu. So, if we implement SPF for our
domain, we need to define an SPF record that permits mail.msu.edu hosts
has the sending host. A large percentage of the spam that we receive is
from our own addresses, which unfortunately have been posted on an
externally accessible web page for many years. So, we can greatly
improve identification of spam by implementing SPF for our own domain.
SPF has been enabled on our email server for several years, and it has
not been well used, and it has not been a problem because we simply mark
the headers. It could be well used if we implement it for our own
domain (spam tagging only at the server) and then create filters in
email clients that check for @kbs.msu.edu in the From header and
X-IMAIL-SPAM-SPF in the header section.
I found detailed infomation about SPF and tools for testing it at
http://www.openspf.org including information about Sender Rewriting
Scheme (SRS, which was mentioned by Ed Kryda in May 2007). The issue
with SRS is that the FROM: address is compared to the last smtp host
through which the email msg was sent out. In the case of a user sending
the msg through mail.msu.edu with a From address of <user>@kbs.msu.edu,
the From address has already been rewritten.
I have tested (briefly) the following SPF entry for DNS which is
recorded as a TXT entry for kbs.msu.edu in our Windows Server 2003 DNS
server which is not able to create an SPF record:
v=spf1 mx ip4:35.9.75.19/24 -all
The "mx" mechanism declares that the ip addresses associated with MX
records for kbs.msu.edu are legitimate hosts for sending kbs.msu.edu
mail. And the ip4 mechanism (note the absence of the letter v) declares
ipv4 addresses that are also legitimate hosts. "-all" declares that all
other hosts are not legitimate (?all returns a status of NEUTRAL like
what an external host would be assigned if the domain had no SPF record).
This SPF record supports the case where a KBS user sends a msg through
mail.msu.edu to a user at kbs.msu.edu or mail.msu.edu, and to a user
that forwards their mail in one hop to MSU departmental server. If the
mail is forwarded to a departmental server, and forwarded again (i.e. a
second hop) to another account inside or outside MSU, then the SPF will
not match without SRS rewriting the From: address. If the msg is
forwarded from msu to gmail, and forwarded again, it will be the same
problem without SRS.
Therefore, two caveats to implementing SPF for our domain are that we
need to limit the set of hosts through which a user can send mail with
@kbs.msu.edu in the From header, and that recipients of our mail can
cause our mail to be marked with an SPF failure if they forward it in
two hops or more through non-kbs-non-mail.msu.edu servers.
Has anyone else done some testing?
Has anyone found a better way to declare the mail.msu.edu servers?
Would a:mail.msu.edu/24 work without a performance hit? (if there is
only one A record to look up and apply the /24 mask to, it seems like it
will be fast to me) Has anyone convinced the MSU mail team to create a
TXT v=spf1 record for the host _spf.msu.edu (referred to as a subdomain
on the openspf.org site) which can be referenced as follows:
v=spf1 mx include:_spf.msu.edu -all
I used one of the Kitterman tools linked on the openspf.org site to
check and did not find any SPF or _spf entries for msu.edu.
Note that some servers do not permit mail sent through them with a From
address that is not part of their domain. For example, I tried to test
my SPF configuration by sending a msg through smtp.att.yahoo.com with a
From address of <user>@kbs.msu.edu, and the SMTP server rejected my
message and I received a popup in Thunderbird telling me of the
rejection with a specific reference to the From address. I respect this
restriction, and if I really wanted to influence someone to reply to a
different address I would use the Reply-to header, which many mail
clients respect, but some do not allow you to specify the Reply-to in
your outgoing mail.
-Stefan
KBS Computer Services Helpdesk:
[log in to unmask]
269-671-2100 (from campus 199-2100)
Stefan Ozminski
Computer Services
W.K. Kellogg Biological Station
Michigan State University
3700 E. Gull Lake Dr.
Hickory Corners, MI 49060
Phone: 269-671-4427 (from campus 199-4427)
[log in to unmask]
|