Sender Policy Framework

__TOC__

In computing, Sender Policy Framework (SPF) allows software to identify messages that are or are not authorized to use the domain name in the SMTP HELO and MAIL FROM (Return-Path) commands, based on information published in a sender policy of the domain owner. Forged return paths are common in e-mail spam and result in backscatter. SPF is defined in RFC 4408.

Principles of operation

Normal SMTP allows any computer to send an e-mail claiming to be from anyone. Thus, it's easy for
spammers to send e-mail from forged addresses. This makes it difficult to trace back to where the spam truly comes from, and easy for spammers to hide their true identity in order to avoid responsibility. Many believe that the ability for anyone to forge "sender addresses" (also known as Return-Paths) is a security flaw in modern SMTP, caused by an undesirable side-effect of the deprecation of "source routes".

:"Further information: Sender Rewriting Scheme (SRS)"

SPF allows the owner of an Internet domain to use special format of DNS SPF or TXT records to specify which machines are authorized to transmit e-mail for that domain. For example, the owner of the example.org domain can designate which machines are authorized to send e-mail whose sender e-mail address ends with "@example.org".Receivers checking SPF can reject messages from unauthorized machines "before receiving the body of the message". Thus, principles of operations are quite similar to those of DNSBL, except that SPF leverages the authority delegation scheme of the real Domain Name System.

The sender address is transmitted at the beginning of the SMTP dialog. If the server rejects the sender, the unauthorized client should send a Bounce message to that address. If the server accepts the sender, and subsequently also accepts the recipient(s) and the body of the message, it should insert a Return-Path header in the message's body in order to save the sender address. While the address in the Return-Path often matches other originator addresses in the mail header like "From:" or "Sender:" this is not necessarily the case, and SPF does not prevent forgeries of these other addresses.

Spammers can send e-mail with an SPF PASS result if they have an account in a domain with a sender policy, or abuse a compromised system in this domain. However, doing so makes the spammer easier to trace and prosecute.

The main benefit of SPF is to people whose e-mail addresses are forged in the Return-Paths. They receive a large mass of unsolicited error messages and other auto-replies, making it difficult to use e-mail normally. If such people use SPF to specify their legitimate sending IPs with a FAIL result for all other IPs, then receivers checking SPF can reject forgeries, reducing the amount of back-scatter.

SPF has potential advantages beyond helping identify unwanted e-mail. In particular, if a sender provides SPF information, then receivers can use SPF PASS results in combination with a white list to identify known reliable senders. Scenarios like compromised systems and shared sending mailers limit this use.

FAIL and forwarding

SPF does not allow plain message forwarding. When a domain publishes an SPF FAIL policy, then legitimate mails sent to receivers forwarding their mail to third parties can be rejected and bounced if
# the forwarder doesn't rewrite the Return-Path, unlike mailing lists,
# the next hop doesn't white list the forwarder, and
# this hop checks SPF.This is a necessary and obvious feature of SPF – checks behind the "border" MTA (MX) of the receiver can't work directly.

Publishers of SPF FAIL policies must accept this potential problem. They should test, e.g. with a SOFTFAIL policy, until they are satisfied with the results. See below for a list of alternatives to plain message forwarding.

HELO tests

For an empty Return-Path as used in error messages and other auto-replies, an SPF check of the HELO-identity is mandatory.

With a bogus HELO identity the result NONE would not help, but for valid host names SPF also protects the HELO identity. This SPF feature was always supported as an option for receivers, and later SPF drafts including the final specification recommend to check the HELO always.

This allows to white list sending mailers based on a HELO PASS, or to reject all mails after a HELO FAIL. It can also be used in reputation systems (any white or black list is a simple case of a reputation system).

Implementation

Compliance with SPF consists of three loosely related tasks:; Publish a policy : Domains identify the machines authorized to send e-mail on their behalf. Domains do this by adding additional records to their existing DNS information: every Domain name that has an A or MX record deserves a TXT record specifying the policy if it is used either in an email address or as HELO/EHLO argument.; Check and use SPF information : Receivers use ordinary DNS queries, which are typically cached to enhance performance. Receivers then interpret the SPF information as specified and act upon the result.; Revise mail forwarding: Plain mail forwarding is not allowed by SPF. The alternatives are:* remailing, i.e. replacing the original sender with one belonging to the local domain,:* refusing, i.e. answering 551 User not local; please try ,:* whitelisting on the target server, so that it won't refuse a forwarded message, and:* Sender Rewriting Scheme, a more complicated mechanism that handles forwarding backscatter back.

Thus, the key issue in SPF is the specificationfor the new DNS information that domains set andreceivers use. The records are laid out like this(in typical DNS-syntax):

example.org. IN TXT "v=spf1 a mx -all"

"v=" defines the version of SPF used. Thefollowing words provide "mechanisms" to use todetermine if a domain is eligible to send mail.The "a" and "mx" specify the systems permittedto send messages for the given domain. The "-all"at the end specifies that, if the previous"mechanisms" did not match, the message shouldbe rejected.

Mechanisms

Eight "mechanisms" are defined:

Qualifiers

Each "mechanism" can be combined with one of four "qualifiers":
* + for a PASS result, this can be omitted, +mx is the same as mx.
* ? for a NEUTRAL result interpreted like NONE (no policy).
* ~ for SOFTFAIL, a debugging aid between NEUTRAL and FAIL.
* - for FAIL, the mail should be rejected (see below).

Modifiers

The "modifiers" allow for future extensions tothe framework. To date only the two "modifiers"defined in the RFC 4408 have been widely deployed:

exp=some.example.com gives the name of adomain with a DNS TXT record(interpreted using SPF's macro language) toget an explanation for FAIL results – typically a
URL which is added to the SMTPerror code. This baroque feature is rarely used.

redirect=some.example.com can be usedinstead of the ALL-"mechanism" to link to thepolicy record of another domain. This "modifier"is easier to understand than the somewhat similarINCLUDE-"mechanism".

Error handling

As soon as SPF implementations detect syntaxerrors in a sender policy they must abortthe evaluation with result PERMERROR. Skippingerroneous "mechanisms" cannot work as expected,therefore include:bad.example andredirect=bad.example also cause aPERMERROR.

Another safety guard is the maximum of ten"mechanisms" querying DNS, i.e. any "mechanism"except from IP4, IP6, and ALL. Implementations canabort the evaluation with result SOFTERROR when ittakes too long or a DNS query times out, but theymust return PERMERROR if the policy directlyor indirectly needs more than ten queriesfor "mechanisms", any redirect= alsocounts towards this "processing limit".

A typical SPF HELO policy v=spf1 a -allneeds three DNS queries: (1) TXT, (2) SPF, and (3)A or AAAA. This last query counts as the first"mechanism" towards the limit (10), in thisexample it's also the last, because ALL needs noDNS lookup.

Caveats

SPF avoids abuses of domain names; it does not validate that a given e-mail actually comes fromthe claimed user. Users within a given domain can forge each others' address, if permitted by the signature process. In addition, domains that share a mail sender (e.g. with virtual hosting) can forge each others' domain even if dire policies are applied.

SPF FAIL rejection

SPF FAIL policies can be an effective but dangerous tool.Some publishers of SPF policies try to avoid the dangersby using SOFTFAIL (designed for limited testing periods)instead of FAIL.But SOFTFAIL can be even more dangerous than FAIL withreceivers rejecting FAIL and accepting SOFTFAIL taggedas "potential junk".

A reject in a forwarding scenario is a clean decision. The forwarder will send an error message to the addressin the Return-Path. Typically the
error message (bounce)contains an explanation of the SMTP error and the failing(forwarded to) address. The original sender can thensend his mail again directly to this address bypassingthe forwarder, a crude emulation of the normal SMTPerror code 551 user not local.

However an accepted SOFTFAIL tagged as "potential junk"could be deleted by the final recipient. This is a userwho has arranged his forwarding in a way that cannotwork with SPF; this user could also be careless withchecking his "potential junk" and simply delete it.

The same line of argument also suggests that receiversshould take the SPF recommendation to reject SPF FAILseriously where possible. Accepting SPF FAIL resultsas "potential junk" can be more dangerous than simplyrejecting FAILed mails.While senders with an SPF FAIL can be expected to knowwhat it means, the same is obviously not the case for areceiver arranging his forwarding in a way that cannotwork with SPF.

Checkpoints

Checking SPF behind the "border" MTA (MX) is not impossible; the relevant info is usually noted in a Received timestamp line added by one of the MXs of the receiver. But at this time it is too late to reject SPF FAIL; the checking entity can essentially only delete FAILing mail.

Experts should be able to get this right, but it is no "plug and play" situation, therefore the SPF specification recommends to check SPF only at the "border" (MX) in the SMTP session, not later. Later SPF checks can also have unexpected results if the publishers of sender policies do not plan modifications of their policy carefully with regard to DNS cache expiration.

DoS attack

An Internet draft [ [http://tools.ietf.org/html/draft-otis-spf-dos-exploit SPF DoS Exploitation] (expired Internet draft)] discussed concerns related to the scale of an SPF answer leading to network exploits as a means to corrupt the DNS. This issue is also covered in the security considerations of the SPF RFC. The SPF project did a detailed analysis [ [http://www.openspf.org/draft-otis-spf-dos-exploit_Analysis OpenSPF analysis of the DoS attack draft] ] of this draft and claimed that SPF does not pose any unique threat of DNS DoS.

History

The SPF concept was presented at YAPC and
OSCON (O'Reilly Open Source Convention) in2003, in a short paper titled"Repudiating Mail-From" written by Paul Vixiein 2002. Other predecessors were"Reverse MX" by Hadmut Danisch,and "Designated Mailer Protocol" by Gordon Fecyk.

In June 2003, Meng Weng Wong merged the RMXand DMP specifications [The IETF proposal for RMX is [http://www.tools.ietf.org/html/draft-danisch-dns-rr-smtp-04 draft-danisch-dns-rr-smtp-04] . For a comparison among RMX, DMP and SPF, see [http://old.openspf.org/dmpvsrmx.html RMX and DMP compared] on the historical openspf site.] and solicited suggestionsfrom other programmers. Over the next six months,a large number of changes were made and a largecommunity had started working on SPF.

Originally SPF stood for Sender Permitted Fromand was sometimes also called SMTP+SPF, but it waschanged to Sender Policy Framework in February 2004.

In early 2004, the IETF created the MARIDworking group and tried to use SPF and Microsoft'sCallerID proposal as the basis for what is nowknown as Sender ID.

After the collapse of MARID the SPF communityreturned to the original "classic" version of SPF.In July 2005 this version of the specification wasapproved by the
IESG as anIETF "experiment", inviting the community to observe SPF during the two years following publication.On April 28, 2006, the SPF RFC was published asexperimental RFC 4408.

Controversy

In 2004, Steven M. Bellovin wrote a long e-mail that discusses his concerns with SPF. [ [http://www.interesting-people.org/archives/interesting-people/200401/msg00037.html Steve Bellovin expresses doubts] (Jan 2004)] Some of these include:
* SPF uses TXT records in DNS, which are supposed to be free-form text with no semantics attached. SPF proponents readily acknowledge that it would be better to have records specifically designated for SPF, but this choice was made to enable rapid implementation of SPF. In July 2005, IANA assigned the Resource Record type 99 to SPF. SPF publishers may publish both record types and SPF checkers may check for either types. It will likely take many years before all DNS software fully supports this new record.
* As of the time he wrote his message, there was no consensus that this is the right way to go. Some major e-mail service providers have not bought into this scheme. Unless and until they do, it doesn't help much, either for their customers (who make up a substantial proportion of the user population) or for everyone else (since their addresses could be forged). It's worth noting that since this concern was raised, Google's GMail and AOL, among others, have embraced SPF. [cite web |url=http://postmaster.aol.com/spf/ |title=SPF Information |publisher=AOL Postmaster |accessdate=2007-10-04]
* Bellovin's strongest concerns involve the underlying assumptions of SPF (SPF's "semantic model"). When using SPF, the SPF DNS records determine how a sender is allowed to send. That means that the owner of the domain will control how senders are allowed to send. People who use "portable" e-mail addresses (such as e-mail addresses created by professional organizations) will be required to use the domain owner's SMTP sender, which may not currently even exist. Organizations providing these "portable" addresses could, however, create their own Mail Submission Agents (MSAs) (RFC 4409) or offer VPNs. Besides SPF only ties the SMTP Return-Path to permitted MSAs; users are still free to use their RFC 2822 addresses elsewhere.

Deployment

Anti-spam software such as SpamAssassin version 3.0.0 and ASSP implement SPF. Many mail transfer agents (MTAs) support SPF directly such as Courier, CommuniGate Pro, Wildcat, and Microsoft Exchange, or have patches/plug-ins available that support SPF, including Postfix, Sendmail, Exim, and Qmail. More than one million domains publish SPF FAIL -all policies. [cite web|url=http://spf-all.com/stats.html|title=SPF -all Domain Survey|year=2008|accessdate=2008-07-23]

In a survey published 2007, 5% of the .com and .net domains had some kind of SPF policy – this might include overall useless policies like v=spf1 ?all. [cite web |url=http://www.onlamp.com/pub/a/onlamp/2007/01/11/dns-extensions.html |title=Handicapping New DNS Extensions and Applications |first=Cricket |last=Liu |publisher=ONLamp |year=2007 |month=January |accessdate=2007-10-04] In April 2007, BITS, a division of the Financial Services Roundtable, published e-mail security recommendations for its members including SPF deployment. [cite web |url=http://bitsinfo.org/downloads/Publications%20Page/BITSSecureEmailFINALAPRIL1507.pdf |title=BITS Email Security Toolkit |publisher=BITS | year=2007 |month=April |accessdate=2008-06-13 |format=PDF ]

In 2008 the MAAWG (Messaging Anti-Abuse Working Group) published a paper about email-authentication covering SPF, Sender ID, and DKIM. [cite web |url=http://www.maawg.org/about/publishedDocuments/MAAWG_Email_Authentication_Paper.pdf |title=Trust in Email Begins with Authentication |accessdate=2008-06-13 |publisher=MAAWG |first=Dave |last=Crocker |year=2008 |month=March |format=PDF ] . In their "Sender Best Communication Practices" the MAAWG stated: "At the very least, senders should incorporate SPF records for their mailing domains". [cite web |url=http://www.maawg.org/about/MAAWG_Sender_BCP/MAAWG_Senders_BCP_Ver2.pdf |title=MAAWG Sender Best Communications Practices - Version 2.0|accessdate=2008-06-13 |publisher=MAAWG |date=2008-06-02 |format=PDF ]

See also

*
* Sender Rewriting Scheme
* Author Domain Signing Practises

References

External links

* and cite web | url = http://dir.gmane.org/index.php?prefix=gmane.mail.spam.spf | title = SPF Mailing List Archives
* cite web | url = http://www.emailbattles.com/archive/battles/spam_aabeeighag_ef/
publisher = emailbattles
title = SPF Claws Sender-ID
date = 2005-09-01
first = BJ | last = Gillette
* cite web | url = http://e-com.ic.gc.ca/epic/internet/inecic-ceac.nsf/en/gv00329e.html
author = Industry Canada
authorlink = Industry Canada
publisher = Government of Canada
title = Stopping Spam: Creating a Stronger, Safer Internet Report of the Task Force on Spam
year = 2005 | month = May
* cite web | url = http://www.cbronline.com/article_news.asp?guid=44D2955C-3C04-4BA1-AC45-AF8277B8B455
title = Sender authentication hops off the standards track
author = "CBR Staff Writer"
date = 2005-03-04
publisher = CBR
* cite web | url = http://david.woodhou.se/why-not-spf.html
first = David | last = Woodhouse
title = Why you shouldn't jump on the SPF bandwagon
date = 2005-01-13
* cite web | url = http://www.theregister.co.uk/2004/09/03/email_authentication_spam/
publisher = The Register
title = Spammers embrace email authentication
date = 2004-09-03
first = John | last = Leyden
* cite web | url = http://www.circleid.com/posts/an_interview_with_the_lead_developer_of_spf_part_i/
title = An Interview with the Lead Developer of SPF - Part I
date = 2004-06-29
publisher = CircleID
* cite web | url = http://bradknowles.typepad.com./considered_harmful/2004/05/spf.html
first = Brad | last = Knowles
title = SPF...
date = 2004-05-19
* cite web | url = http://homepages.tesco.net./~J.deBoynePollard/FGA/smtp-spf-is-harmful.html
title = SPF is harmful. Adopt it.
first = Jonathan | last= de Boyne Pollard
year = 2004
* [http://www.openspf.org/mailflows.pdf Diagram of e-mail flow and SPF's impact] (PDF, [http://www.openspf.org/mailflows-l.pngPNG] )
* [http://www.openspf.org/for-mit-spam-conference.html MIT Spam Conference Handout on SPF] (Jan 2004)
* [http://www.spamcop.net/fom-serve/cache/329.html SpamCop FAQ entry about bogus bounces] discusses also SPF (2005)
* [http://www.openspf.org/whitepaper.pdf M. Wong's Deployment White Paper] (PDF, Nov 2004)