SPF
The issue with email is computers don't know who is authorised to send email from certain domains, this is where SPF comes in, or Sender Policy Framework.
Enforcing email sources
SPF is a framework which ensures domain admins can publish a list of authorised mail transfer agents to deliver email on their behalf. This helps the recipient determine if the email is spam or not.
It also enables recipients to validate the transfer agents identity.
Protocols used in email transfer
When it comes to sending an email:
- We determine the IP address to send the email to (Internet Protocol)
- Then we establish a TCP connection with the recipient it wishes to send email to (Transmission Control Protocol)
- Exchange messages using SMTP (Simple Mail Transfer Protocol)
So SMTP is used over the TCP connection.
Components of a SMTP mail transmission
EHLO <domain.com>
MAIL FROM: <myemail@domain.com>
RCPT TO: Recipient email address
DATA
Date: A date, month, year
From: Johno
Subject: This is an email example
To: Recipient email address
What does SPF protect?
Within an SMTP mail transmission, the only information that the recipient sees is in the 'DATA' command. When it comes to SPF, we really care about the 'MAIL FROM:' field and validate this identity and if it is authorised to send mail from the domain. The only caveat on this is if the MAIL FROM is null, SPF will validate postmaster@EHLO domain
How does it work?
There are typically three components:
- A mail transfer agent who is sending the email
- The recipient
- A DNS Server
The mail transfer agent will send an email to it's recipient and during this, it will remove it's own IP address. It will also state where the mail originated from. The recipient will then want to validate the sender, based on the IP address. To do this a recipient will send a message to the DNS server, to work out who may send email on behalf of the domain name.
- The email is received
- DNS Server will query the TXT records of the
MAIL FROMdomainname - SPF Evaluation performed on the domainname found, this sometimes will trigger additional queries
- Email delivered or rejected
SPF Format
There must be a particular DNS record, it must be a TXT record type.
It must start with v=spf1, this is what identifies a SPF record. You will then have a list of qualifier and mechanism pairs.
It will end with option list of modifiers
Mechanisms are evaluated left to right until a match is found. However, you can only have 1 modifier of each type.
Evaluation results
There are 7 results from an SPF evaluation.
- None: No SPF record found
- Neutral: SPF record was found but no decision made
- Pass: IP address authorised
- Fail: IP address not authorised
- Softfail: IP address is probably not authorised
- Temperror: Most likely a DNS timeout or other error
- Permerror: DNS records were not understood
SPF Qualifiers
There are 4 possible qualifiers:
- +Pass (If a match, it's authorised)
- -Fail (Is not authorised)
- ? Neutral
- ~ Softfail
Basic mechanisms
all - this is always true and will always match, this should be at the right. include:domain - SPF evaluation passes for given domain.
Designated Sender
a:domain - IP address must be in the domain A or AAAA record. mx:domain - IP address is a host in domains MX record ip4:network - IP address within given IPv4 network ip6:network - the same as above but IPv6 instead IPv6
SPF modifiers
redirect=domain - If no mechanisms match in the current record, it will redirect to the SPF record in the given domain parameter. Utilised for use in subdomains.
Forwarding with SPF
Sender Rewriting Scheme will modify the MAIL FROM parameter:
- Domain becomes forwarder's
- Original domain moved to the local part of the address before the @ sign
- A hash and timestamp will get added
- SRS prefix added to the local part.
The forwarder must then forward on bounces.