/munetakaJupyterHub/Computer/2024/MailServer/Haraka/07-SPF.md

§2024-09-23

Check SPF

¶What is SPF?

Sender Policy Framework (SPF) is an email authentication protocol designed to prevent email spoofing and phishing attacks by verifying that an email message is sent from an authorized mail server.

Here’s how SPF helps prevent email spoofing and phishing attacks:

Domain owner publishes an SPF record: The domain owner creates an SPF record in their domain’s DNS settings. This record lists all the authorized mail servers (IP addresses or hostnames) that are permitted to send emails on behalf of the domain.

Email is sent from a mail server: When a mail server sends an email on behalf of the domain, the email includes the sender’s domain and the IP address of the sending server in the email header.

Receiving mail server checks SPF record: When the receiving mail server gets the email, it checks the sender’s domain for an SPF record. If the SPF record exists, the receiving server compares the sending server’s IP address or hostname against the authorized mail servers listed in the SPF record.

SPF validation result: There are three possible outcomes of the SPF validation:

Pass: The sending server’s IP address or hostname matches an authorized server in the SPF record. The receiving server accepts the email, and it is less likely to be flagged as spam or phishing. Fail: The sending server’s IP address or hostname does not match any authorized server in the SPF record. This suggests that the email could be a spoof or phishing attempt. The receiving server may reject the email, flag it as spam, or apply additional scrutiny. Neutral or other results: In some cases, the SPF record may be misconfigured or not definitive. In these cases, the receiving server may apply other mechanisms to determine the legitimacy of the email, such as DKIM (DomainKeys Identified Mail) and DMARC (Domain-based Message Authentication, Reporting, and Conformance). By setting up an SPF record, domain owners can help protect their domain from being used in email spoofing and phishing attacks. This makes it more difficult for attackers to impersonate a legitimate domain, ultimately reducing the effectiveness of these types of attacks.

¶How to add SPF to DNS record?

To add an SPF record to your domain’s DNS settings, follow these steps:

Navigate to the DNS management section.

Create a new TXT record with the following details:

Name/Host: Leave this field empty, “@” or enter your domain name, depending on the requirements of your DNS provider. This ensures that the SPF record is added to the root level of your domain (e.g., example.com). Type: Select “TXT” as the record type. Value: Add the SPF record value. The value should start with “v=spf1” and list the authorized mail servers or IP addresses, followed by an action for unauthorized servers. Here’s an example of an SPF record value:

v=spf1 ip4:192.0.2.0/24 ip4:198.51.100.0/24 include:_spf.example.net -all This SPF record value has the following components:

v=spf1: This indicates the SPF version being used, which is version 1. ip4:192.0.2.0/24: This authorizes the IP addresses in the range 192.0.2.0 to 192.0.2.255 to send emails on behalf of the domain. ip4:198.51.100.0/24: This authorizes the IP addresses in the range 198.51.100.0 to 198.51.100.255 to send emails on behalf of the domain. include:_spf.example.net: This includes the SPF record of another domain (example.net) and authorizes its mail servers to send emails on behalf of your domain. This is useful when using third-party email services. -all: This indicates that any mail server not listed in the SPF record is not authorized to send emails on behalf of your domain. The receiving server should mark such emails as a hard fail. If you want a soft fail, use ~all instead. Save the TXT record: Click on the “Save” or “Add Record” button to save the new SPF record. The DNS changes may take some time to propagate. Once you have added the SPF record to your domain’s DNS settings, receiving mail servers will check it when they receive emails from your domain. This helps protect your domain from email spoofing and phishing attacks by verifying that emails are sent from authorized servers.

Remember to update your SPF record whenever you add or remove mail servers or third-party email services that send emails on behalf of your domain.

– for hc4Noble.yushei.net - v=spf1 ip4:192.168.0.0/16 include:_spf.yushei.net -all - -all: This is the "fail" mechanism. It indicates that if an email is sent from a server not listed in this SPF record, it should be rejected outright. This is a strict policy that helps prevent unauthorized use of the domain in email spoofing.

v=spf1 include:spf.yushei.net include:_spf.google.com mx a:h2Jammy.yushei.net a:mail.h2jammy.yushei.net ip4:59.126.118.18 ip4:59.126.118.194 ip4:192.168.0.0/16 ~all

Components Explained

v=spf1:
- This indicates that it is an SPF record using version 1.
include:_spf.google.com:
- This mechanism allows any server that is authorized by Google’s SPF record to send emails for your domain. It’s commonly used for Google Workspace users.
mx:
- This allows any mail server listed in your domain’s MX (Mail Exchange) records to send emails. If your MX records point to certain servers, this allows them to send email on behalf of your domain.
a:h2Jammy.yushei.net:
- This mechanism permits the server with the A record (IP address) for h2Jammy.yushei.net to send emails for your domain.
a:mail.h2jammy.yushei.net:
- Similar to the previous one, this allows the server with the A record for mail.h2jammy.yushei.net to send emails for your domain.
ip4:59.126.118.18:
- This explicitly allows the IPv4 address 59.126.118.18 to send emails on behalf of your domain.
ip4:59.126.118.194:
- Similarly, this allows the IPv4 address 59.126.118.194 to send emails on behalf of your domain.
~all:
- This is the "fail" mechanism. It indicates that if an email is sent from a server not listed in this SPF record, it should be rejected outright. This is a strict policy that helps prevent unauthorized use of the domain in email spoofing.