After running my new server for a while, I was noticing an unusually-high level of bogus email arriving in my inbox – mail that was being spoofed to look like it was coming from myself (to myself).
After a great deal of research, I learned there is a component of the DNS specification that allows for TEXT or SPF records. Sender Policy Framework was developed to help mail servers identify whether or not messages are being sent by authorized servers for their representative domains.
While there is a huge amount of stuff that could be added into a SPF record, what I am using for my domains is:
"v=spf1 mx -all"
If they require it be via TEXT record, it’ll look something like this:
TXT @ "v=spf1 a include:_spf.google.com ~all"
yum install pypolicyd-spf
Then I edited the
master.cf config file for Postfix, adding the following at the bottom:
policy unix - n n - 0 spawn user=nobody argv=/bin/python /usr/libexec/postfix/policyd-spf
Note: those are actually tabs in my config file – but spaces work, too.
When you’re done with your edits and record additions, restart Postfix:
systemctl restart postfix
Then you’ll see messages like this in your
Apr 23 18:58:59 khopesh postfix/smtpd: NOQUEUE: reject: RCPT from unknown[126.96.36.199]: 550 5.7.1 <email@example.com>: Recipient address rejected: Message rejected due to: SPF fail - not authorized. Please see http://www.openspf.net/Why?s=mfrom;firstname.lastname@example.org;ip=188.8.131.52;email@example.com; from=<firstname.lastname@example.org> to=<email@example.com> proto=ESMTP helo=<[184.108.40.206]>
And if you follow the directive to go visit the “Why” page on OpenSPF, you’ll see something like this explanation:
Why did SPF cause my mail to be rejected?
What is SPF?
SPF is an extension to Internet e-mail. It prevents unauthorized people from forging your e-mail address (see the introduction). But for it to work, your own or your e-mail service provider’s setup may need to be adjusted. Otherwise, the system may mistake you for an unauthorized sender.
Note that there is no central institution that enforces SPF. If a message of yours gets blocked due to SPF, this is because (1) your domain has declared an SPF policy that forbids you to send through the mail server through which you sent the message, and (2) the recipient’s mail server detected this and blocked the message.
firstname.lastname@example.org a message that claimed an envelope sender address of
email@example.com a message from
220.127.116.11that claimed an envelope sender address of
However, the domain datente.com has declared using SPF that it does not send mail through 18.104.22.168. That is why the message was rejected.