I have a question for anyone that has used SPF in their DNS and email configuration on campus. (Stephen Bogdanski raised the issue May 2007) Sender Policy Framework, formerly Sender Permitted From, is indirectly supported by Exchange Server 2003 Service Pack 2. Exchange 2003 supports the Sender ID Framework specified by Microsoft which has as one of its steps a lookup of the SPF entry in DNS for the domain of the sending server. (note that Microsoft created conflicts and controversy by linking Sender ID to SPF). At KBS we are using Imail from Ipswitch which supports SPF directly, but I know many departments on campus are using Exchange servers. We have many users that configure their email clients to retrieve mail from mail.msu.edu and send mail out through mail.msu.edu, but they set the From: as <user>@kbs.msu.edu. So, if we implement SPF for our domain, we need to define an SPF record that permits mail.msu.edu hosts has the sending host. A large percentage of the spam that we receive is from our own addresses, which unfortunately have been posted on an externally accessible web page for many years. So, we can greatly improve identification of spam by implementing SPF for our own domain. SPF has been enabled on our email server for several years, and it has not been well used, and it has not been a problem because we simply mark the headers. It could be well used if we implement it for our own domain (spam tagging only at the server) and then create filters in email clients that check for @kbs.msu.edu in the From header and X-IMAIL-SPAM-SPF in the header section. I found detailed infomation about SPF and tools for testing it at http://www.openspf.org including information about Sender Rewriting Scheme (SRS, which was mentioned by Ed Kryda in May 2007). The issue with SRS is that the FROM: address is compared to the last smtp host through which the email msg was sent out. In the case of a user sending the msg through mail.msu.edu with a From address of <user>@kbs.msu.edu, the From address has already been rewritten. I have tested (briefly) the following SPF entry for DNS which is recorded as a TXT entry for kbs.msu.edu in our Windows Server 2003 DNS server which is not able to create an SPF record: v=spf1 mx ip4:35.9.75.19/24 -all The "mx" mechanism declares that the ip addresses associated with MX records for kbs.msu.edu are legitimate hosts for sending kbs.msu.edu mail. And the ip4 mechanism (note the absence of the letter v) declares ipv4 addresses that are also legitimate hosts. "-all" declares that all other hosts are not legitimate (?all returns a status of NEUTRAL like what an external host would be assigned if the domain had no SPF record). This SPF record supports the case where a KBS user sends a msg through mail.msu.edu to a user at kbs.msu.edu or mail.msu.edu, and to a user that forwards their mail in one hop to MSU departmental server. If the mail is forwarded to a departmental server, and forwarded again (i.e. a second hop) to another account inside or outside MSU, then the SPF will not match without SRS rewriting the From: address. If the msg is forwarded from msu to gmail, and forwarded again, it will be the same problem without SRS. Therefore, two caveats to implementing SPF for our domain are that we need to limit the set of hosts through which a user can send mail with @kbs.msu.edu in the From header, and that recipients of our mail can cause our mail to be marked with an SPF failure if they forward it in two hops or more through non-kbs-non-mail.msu.edu servers. Has anyone else done some testing? Has anyone found a better way to declare the mail.msu.edu servers? Would a:mail.msu.edu/24 work without a performance hit? (if there is only one A record to look up and apply the /24 mask to, it seems like it will be fast to me) Has anyone convinced the MSU mail team to create a TXT v=spf1 record for the host _spf.msu.edu (referred to as a subdomain on the openspf.org site) which can be referenced as follows: v=spf1 mx include:_spf.msu.edu -all I used one of the Kitterman tools linked on the openspf.org site to check and did not find any SPF or _spf entries for msu.edu. Note that some servers do not permit mail sent through them with a From address that is not part of their domain. For example, I tried to test my SPF configuration by sending a msg through smtp.att.yahoo.com with a From address of <user>@kbs.msu.edu, and the SMTP server rejected my message and I received a popup in Thunderbird telling me of the rejection with a specific reference to the From address. I respect this restriction, and if I really wanted to influence someone to reply to a different address I would use the Reply-to header, which many mail clients respect, but some do not allow you to specify the Reply-to in your outgoing mail. -Stefan KBS Computer Services Helpdesk: [log in to unmask] 269-671-2100 (from campus 199-2100) Stefan Ozminski Computer Services W.K. Kellogg Biological Station Michigan State University 3700 E. Gull Lake Dr. Hickory Corners, MI 49060 Phone: 269-671-4427 (from campus 199-4427) [log in to unmask]