Print

---

I have a question for anyone that has used SPF in their DNS and email 
configuration on campus. (Stephen Bogdanski raised the issue May 2007)

Sender Policy Framework, formerly Sender Permitted From, is indirectly 
supported by Exchange Server 2003 Service Pack 2.  Exchange 2003 
supports the Sender ID Framework specified by Microsoft which has as one 
of its steps a lookup of the SPF entry in DNS for the domain of the 
sending server.  (note that Microsoft created conflicts and controversy 
by linking Sender ID to SPF).

At KBS we are using Imail from Ipswitch which supports SPF directly, but 
I know many departments on campus are using Exchange servers. 

We have many users that configure their email clients to retrieve mail 
from mail.msu.edu and send mail out through mail.msu.edu, but they set 
the From: as <user>@kbs.msu.edu.  So, if we implement SPF for our 
domain, we need to define an SPF record that permits mail.msu.edu hosts 
has the sending host.  A large percentage of the spam that we receive is 
from our own addresses, which unfortunately have been posted on an 
externally accessible web page for many years.  So, we can greatly 
improve identification of spam by implementing SPF for our own domain.

SPF has been enabled on our email server for several years, and it has 
not been well used, and it has not been a problem because we simply mark 
the headers.  It could be well used if we implement it for our own 
domain (spam tagging only at the server) and then create filters in 
email clients that check for @kbs.msu.edu in the From header and 
X-IMAIL-SPAM-SPF in the header section.

I found detailed infomation about SPF and tools for testing it at 
http://www.openspf.org including information about Sender Rewriting 
Scheme (SRS, which was mentioned by Ed Kryda in May 2007).  The issue 
with SRS is that the FROM: address is compared to the last smtp host 
through which the email msg was sent out.  In the case of a user sending 
the msg through mail.msu.edu with a From address of <user>@kbs.msu.edu, 
the From address has already been rewritten.

I have tested (briefly) the following SPF entry for DNS which is 
recorded as a TXT entry for kbs.msu.edu in our Windows Server 2003 DNS 
server which is not able to create an SPF record:

v=spf1 mx ip4:35.9.75.19/24 -all

The "mx" mechanism declares that the ip addresses associated with MX 
records for kbs.msu.edu are legitimate hosts for sending kbs.msu.edu 
mail.  And the ip4 mechanism (note the absence of the letter v) declares 
ipv4 addresses that are also legitimate hosts.  "-all" declares that all 
other hosts are not legitimate (?all returns a status of NEUTRAL like 
what an external host would be assigned if the domain had no SPF record).

This SPF record supports the case where a KBS user sends a msg through 
mail.msu.edu to a user at kbs.msu.edu or mail.msu.edu, and to a user 
that forwards their mail in one hop to MSU departmental server.  If the 
mail is forwarded to a departmental server, and forwarded again (i.e. a 
second hop) to another account inside or outside MSU, then the SPF will 
not match without SRS rewriting the From: address.  If the msg is 
forwarded from msu to gmail, and forwarded again, it will be the same 
problem without SRS.

Therefore, two caveats to implementing SPF for our domain are that we 
need to limit the set of hosts through which a user can send mail with 
@kbs.msu.edu in the From header, and that recipients of our mail can 
cause our mail to be marked with an SPF failure if they forward it in 
two hops or more through non-kbs-non-mail.msu.edu servers.

Has anyone else done some testing?

Has anyone found a better way to declare the mail.msu.edu servers?  
Would a:mail.msu.edu/24 work without a performance hit? (if there is 
only one A record to look up and apply the /24 mask to, it seems like it 
will be fast to me)  Has anyone convinced the MSU mail team to create a 
TXT v=spf1 record for the host _spf.msu.edu (referred to as a subdomain 
on the openspf.org site) which can be referenced as follows:

v=spf1 mx include:_spf.msu.edu -all

I used one of the Kitterman tools linked on the openspf.org site to 
check and did not find any SPF or _spf entries for msu.edu.

Note that some servers do not permit mail sent through them with a From 
address that is not part of their domain.  For example, I tried to test 
my SPF configuration by sending a msg through smtp.att.yahoo.com with a 
 From address of <user>@kbs.msu.edu, and the SMTP server rejected my 
message and I received a popup in Thunderbird telling me of the 
rejection with a specific reference to the From address.  I respect this 
restriction, and if I really wanted to influence someone to reply to a 
different address I would use the Reply-to header, which many mail 
clients respect, but some do not allow you to specify the Reply-to in 
your outgoing mail.

-Stefan

KBS Computer Services Helpdesk:
[log in to unmask]
269-671-2100 (from campus 199-2100)

Stefan Ozminski
Computer Services
W.K. Kellogg Biological Station
Michigan State University
3700 E. Gull Lake Dr.
Hickory Corners, MI  49060
Phone: 269-671-4427 (from campus 199-4427)
[log in to unmask]