Sender Policy Framework - Implementation

Implementation

Compliance with SPF consists of three loosely related tasks:

Publish a policy
Domains and hosts identify the machines authorized to send e-mail on their behalf. They do this by adding additional records to their existing DNS information: every domain name or host that has an A record or MX record should have an SPF record specifying the policy if it is used either in an email address or as HELO/EHLO argument. Hosts which do not send mail should have an SPF record published which indicate such ("v=spf1 -all"). It is highly recommended to validate the SPF record using record testing tools such as those provided on the SPF Project webpage.
Check and use SPF information
Receivers use ordinary DNS queries, which are typically cached to enhance performance. Receivers then interpret the SPF information as specified and act upon the result.
Revise mail forwarding
Plain mail forwarding is not allowed by SPF. The alternatives are
  • remailing, i.e. replacing the original sender with one belonging to the local domain,
  • refusing, i.e. answering 551 User not local; please try ,
  • whitelisting on the target server, so that it will not refuse a forwarded message, and
  • Sender Rewriting Scheme, a more complicated mechanism that handles routing non-delivery notifications to the original sender.

Thus, the key issue in SPF is the specification for the new DNS information that domains set and receivers use. The records laid out below are in typical DNS syntax. Note that RFC 4408 recommended that both SPF and TXT records be used (during the transitional period), although either by itself was acceptable:

example.com. IN TXT "v=spf1 a mx -all" example.com. IN SPF "v=spf1 a mx -all"

"v=" defines the version of SPF used. The following words provide mechanisms to use to determine if a domain is eligible to send mail. The "a" and "mx" specify the systems permitted to send messages for the given domain. The "-all" at the end specifies that, if the previous mechanisms did not match, the message should be rejected.

Read more about this topic:  Sender Policy Framework