User Guide - Using SPF to reduce domain (e-mail) spoofing
- 04/03/2006 8:17 PM
Applicable Plans - All eApps General VPS Plans
User Guide - Using Sender Policy Framework (SPF) to reduce domain spoofing
Overview
"Sender Policy Framework (SPF), as defined in RFC 4408, is an e-mail validation system designed to prevent e-mail spam by addressing a common vulnerability, source address spoofing. SPF allows administrators to specify which hosts are allowed to send e-mail from a given domain by creating a specific DNS SPF record in the public DNS. Mail exchangers then use the DNS to check that mail from a given domain is being sent by a host sanctioned by that domain's administrators." - from http://en.wikipedia.org/wiki/Sender_Policy_Framework"The Sender Policy Framework (SPF) is an open standard specifying a technical method to prevent sender address forgery." - from http://www.openspf.org/Introduction
Sender Policy Framework, or SPF, aims to prevent spammers from impersonating valid e-mail senders. SPF helps to prevent domain or e-mail spoofing - http://en.wikipedia.org/wiki/E-mail_spoofing
It is trivially easy for anyone to send you an e-mail that appears to come from a completely different person. This is exploited by spammers and phishers, and is why many companies and organizations (especially banks and other financial institutions)will never ask for any account information via e-mail (and why you should always verify the identity of anyone asking for this type of information via e-mail).
SPF attempts to reduce this by allowing domain owners to identify their legitimate sending e-mail servers by publishing an SPF record in the global DNS system.
SPF must be activated on both the sending and receiving mail server. This means that your SPF record is only used by mail servers that also have SPF installed. However, this number is growing, and providers such as Google and AOL use SPF records.
Installing SPF
SPF DNS Records
Checking SPF records
Using the Control Panel to check your SPF records
Using web tools or dig to check your SPF records
Using the Control Panel to check your SPF records
Using web tools or dig to check your SPF records
Creating an SPF record in the PBA Control Panel
Links to other information
Installing SPF
The SPF application is available on all eApps General VPS plans, and all operating systems (Fedora Core, CentOS 4 and CentOS 5 or newer). On CentOS 5 or newer VPSs, the SPF application is installed by the standard template used to provision all new orders. If your VPS is a Fedora or CentOS 4 VPS, you may need to install SPF from the Control Panel.To see what operating system (OS) you have, click on the Subscriptions icon from the My Account tab of your Control Panel. Then click on the name of the subscription you want to see. The OS for the subscription will be displayed near the top of the page. If you are not on a CentOS 5 plan, but would like information on updating your plan, please contact eApps Technical Support for more information.
To check if SPF is already installed, go the PBA Control Panel, and click on the System tab. If necessary, click on the Select Another System (Subscription) link on the left and choose the correct Virtuozzo container.
Then click on All Applications. On a CentOS 5 VPS, the SPF application will be listed like this: Spf-milter. For Fedora and CentOS 4, it will be listed like this: SPFmilter.
If SPF is not installed, then click on Add Application, and look for the SPF application in the list of applications to install. Check the box next to the application, and then scroll down and click Next.
This takes you back to the All Applications screen. Wait for around five minutes, and then click on the Refresh link at the upper right, just under the word Parallels. The application should now show as installed. If it still shows as Scheduled, wait another five minutes, and click refresh again. If it still shows as Scheduled, or in Error, please contact eApps Technical Support.
SPF DNS Records
 |
These instructions only apply if you host your domains in eApps DNS. If you use a third party DNS provider, you will need to contact them for instructions on how to add an SPF record to their service. |
Checking SPF records
To see if a domain has an SPF record, you can either check the domain DNS Zone from the Control Panel, or use a web based or command line tool.If you are on a CentOS 5 or newer plan and selected to host your domains in eApps DNS when you added them to the Control Panel, then an SPF record was created for those domains by default. Nothing further needs to be done on your end.
If you only have a few domains, then checking from the Control Panel is the easiest way to look for the SPF record. However, if you have a lot of domains, checking each one individually can be quite time consuming. In this case, using a web based or command line tool would be the quickest way to check for an SPF record.
Using the Control Panel to check your SPF records
To check if a domain has an SPF record in the PBA Control Panel, click on the System tab, and then scroll down to All My Domains. Click on the domain, and then on the DNS Zone tab at the top of the page. Look for an entry similar to this one (substitute your own domain name for eapps-example.com)
Using web tools or dig to check your SPF records
To check if a domain has an SPF record, you can use the dig command from the command line, or the DNS lookup tool found here - http://tools.bevhost.com/cgi-bin/dnslookup (linked from http://www.openspf.org/Tools)There are other tools on the SPF Tools page that can be useful to test and troubleshoot SPF records - http://www.openspf.org/Tools
While the web tools are fairly self-explanatory, the dig command line tool is not. Here is an overview of how to use it to test a domain for an SPF record.
If you are on a computer running Mac OS X or a Linux/UNIX variant, you can run this test from the terminal application on your computer. If you are on a Windows computer, you will need to connect to your VPS via SSH to run this test, or possibly install the Cygwin command line environment on your personal computer.
The syntax for the dig command is this:
dig -t TXT domain.com
An SPF record is a TXT record, so that is the DNS entry to search for. Depending on your version of dig the reply from the DNS server may contain a lot of information other than the SPF record, but in any case you will be looking for something similar to this - in this example the domain of eapps-example.com is used.
| [root@eapps-example ~]# dig -t TXT eapps-example.com ; <<>> DiG 9.3.4-P1 <<>> -t TXT eapps-example.com ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10438 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 4 ;; QUESTION SECTION: ;eapps-example.com. IN TXT ;; ANSWER SECTION: eapps-example.com. 403 IN TXT "v=spf1 a mx ~all" |
What you are looking for is something similar to the last line:
;; ANSWER SECTION:
eapps-example.com. 403 IN TXT "v=spf1 a mx ~all"
The "v=spf1 a mx ~all" is the SPF record. There may be more information in that record, but the "v=spf1" will remain the same. If you see that, then the domain has an SPF record.
Creating an SPF record in the PBA Control Panel
|
These instructions assume you have already installed SPF. See the Installing SPF section for more information if you still need to install SPF. |
These instructions also assume you are using eApps DNS for your domains. If you are using a third party DNS provider, please contact them for information on how to create an SPF record on their system.
To create an SPF record in the PBA Control Panel, click on the System tab, and then if necessary click on the Select Another System (Subscription) link on the left to choose the correct Virtuozzo container.
Then scroll down to All My Domains, and then click on the domain you wish to add the SPF record for, and then click on the DNS Zone tab at the top of the screen.
Click on New Record
and add the following information:
- Name - this is the domain name. Generally this will be left as is.
- TTL - this is the Time To Live, in seconds. This is the length of time the DNS record is active before being refreshed. 600 seconds is 10 minutes. This value cannot be changed.
- Type - select TXT from the drop down menu
- Priority - TXT records have no priority, so this will be grayed out
- Value - the default value is: v=spf1 a mx ~all
- Comment - add a comment if you wish
Click on Save to create the record, or Cancel to cancel. Allow several hours for the SPF record to propagate across the globe
If you wish to know more about the specific SPF record syntax, see the information here - http://www.openspf.org/SPF_Record_Syntax This page also has information on SPF results.
If you want to create a more detailed SPF record, you can use the wizard on the SPF main page in the Deploying SPF section - http://www.openspf.org/ This will walk you through creating an SPF record that you can then copy and paste into the Value section in the SPF record for your domain.
Links to other information
SPF Project main page - http://www.openspf.org/SPF record syntax - http://www.openspf.org/SPF_Record_Syntax
SPF record wizard - http://old.openspf.org/wizard.html