Shulou(Shulou.com)06/01 Report--

What is the SPF in email security? many novices are not very clear about this. In order to help you solve this problem, the following editor will explain it in detail. People with this need can come and learn. I hope you can get something.

What is SPF?

It's Sender Policy Framework. SPF can prevent others from faking you to send emails, which is a solution to anti-counterfeiting emails. When you define your domain name SPF record, the recipient will use your SPF record to determine whether the connected IP address is included in the SPF record, and if so, it is considered to be a correct email, otherwise it is considered to be a fake email.

The following is a detailed introduction of SPF

One sentence pattern

In a SPF record, the mechanism is verified in the order of arrangement. If there is no mechanism or modifier in the SPF record, the default result is Neutral; if the field does not have a SPF record, the result is "None"; if there is a temporary error during DNS parsing, a "temporary error" (TempError) is reported (called "error" in the previous plan). If SPF records sentence pattern errors, such as misspelling or using unknown sentence patterns, it will report a "PermError" (formerly known as "unknown").

1 mechanism

1.1 the mechanism indicates

1.1.1 all

This mechanism is always matched and is usually used at the end of the record. Example:

V=spf1 mx-all allows all MX mail servers in this domain to send mail, and forbids all others.

"v=spf1-all" this domain cannot send mail at all

"v=spf1 + all" any server can send mail

1.1.2 ip4

"v=spf1 ip4:192.168.0.1/16-all" allows servers from 192.168.0.1 to 192.168.255.255 to send mail

"v=spf1 ip4:192.168.0.1-all" allows 192.168.0.1 to send mail, agreed with "v=spf1 ip4:192.168.0.1/32-all"

1.1.3 ip6

A single IP, which is different from ip4. / 128 is the default prefix:

"v=spf1 ip6:1080::8:800:200C:417A/96-all"

Allows the host between 1080 and 1080::8:800:FFFF:FFFF to send

"v=spf1 ip6:1080::8:800:68.0.3.1/96-all"

Allows the host between 1080 and 1080::8:800:FFFF:FFFF to send

1.1.4 a

Example: assume that the current domain is example.com

The current domain of "v=spf1 a-all" is used

"v=spf1 a:example.com-all" current domain is used

Equivalent if the current-domain is example.com.

"v=spf1 a:mailers.example.com-all" specifies that the host IP of mailers.example.com can send out mail.

If the example.com resolves to 192.0.2.1, then all Class C addresses 192.0.2.0 a:offsite.example.com/24 24 will be used as IP addresses for outgoing mail; similarly, if the offsite.example.com has multiple A-record addresses, each IP address will be extended to the CIDR subnet as an outgoing mail IP address.

1.1.5 mx

The A records corresponding to the MX records of all domains are verified according to the priority of the MX records. If the sending IP is in these records, the mechanism matches. If the domain is not specified, it defaults to the current domain.

A record needs to exactly match the IP address of the message to be sent. If there is a CIDR prefix, you need to verify the corresponding IP address one by one.

Example:

V=spf1 mx mx:deferrals.domain.com-all "

Perhaps a domain sends mail through its MX servers plus another set of servers whose job is to retry mail for deferring domains.

Maybe a domain can send mail through its MX server, and it can also send mail through deferrals.domain.com 's MX server.

"v=spf1 mx/24 mx:offsite.domain.com/24-all"

Maybe a domain's MX server receives mail at one IP and sends mail with another nearby IP.

1.1.7 prt

At least one of the PTR records that sent IP matches the given domain. Avoid using this mechanism as much as possible, as it consumes a lot of DNS queries

Example:

"v=spf1 ptr-all"

"v=spf1 ptr:otherdomain.com-all"

1.1.8 exists

Make an A record query on the provided domain, and match if there is a result. If the result is "-", it will be treated as 127.0.0.2.

In the following example, the sender IP address is 1.2.3.4 and the current domain is example.com

"v=spf1 exists:example.net-all"

If the example.net cannot be parsed, the result fails. If it can be parsed. The mechanism matches.

1.1.10 include

Sentence pattern: include:

The specified field is queried and matched. If there is no match or error in the query, proceed to the next mechanism. Warning: returns a permanent error result if the specified field is not a valid SPF record. Some mail recipients will refuse to accept mail based on this error.

Example:

In the following example, the sending IP is 1.2.3.4 and the current domain is example.com

"v=spf1 include:example.net-all"

If example.net has no SPF record, the result is "permanent error" (PermError)

Suppose the SPF record of example.net is "v=spf1 a-all"

Query the A record of exapmle.net, if it matches 1.2.3.4, the result is "Pass"; if it does not match, the overall include matching fails, the subsequent-all will no longer be verified, and the final result is still "Fail".

This mechanism will involve trust relationships, may be ultra vires, and may be impersonated. So you can set it to neutral and add an identifier before include?

V=spf1? include:example.net-all

This mechanism is generally not suitable to choose.

1.2 Identifier

As a prefix to the mechanism, it indicates the state of the mechanism. The default identifier of the mechanism is "+"

"+" Pass (through)

"-" Fail (failed)

"~" SoftFail (soft failure)

"?" Neutral (Neutral)

2 modifier

In a SPF record, each modifier can only be used once and cannot be reused. Unknown modifiers will be ignored during validation.

1.2.1 redirect

Sentence pattern: redirect=

The current domain will be replaced with the specified domain

In the following example: the current domain is example.com, and the sending IP is 1.2.3.4

"v=spf1 redirect=example.net"

If example.net has no SPF record, an error of "unknown" is returned

Suppose the SPF record of example.net is "v=spf1 a-all"

Query the A record of example.net and Pass if it matches 1.2.3.4; if it does not match, the behavior fails, and then starts executing the-all mechanism.

1.2.2 exp

Sentence pattern: exp=

Provide explanatory statements. If the SMTP receiver rejects a message, it may contain an explanation message returned to the sender. The SPF record may contain an explanation string to the sender, an error message to inform the sender, or a help page to visit.

Second treatment process

Three error codes

The results of verifying SPF records can only be as follows:

Result

explain

Actionable behavior

Pass

The SPF record specifies that the host is allowed to send

Accept

Fail

The SPF record specifies that the host is not allowed to send

Refuse

SoftFail

The SPF record specifies that the host is not allowed to send, but can resend.

Acceptance of markings

Neutral

SPF records are detailed, but cannot confirm its validity

Accept

None

No SPF record or SPF record verification has no result

Accept

PermError

Permanent error (e. G. incorrect format record)

Not specified

TempError

Temporary error occurs

Accept or reject

Set up SPF record

The SPF record looks something like this:

V=spf1 a mx mx:mail.jefflei.com ip4:202.96.88.88 ~ all

This SPF record specifies that the IP address that allows @ yourdomain.com to be sent is:

A (this a refers to the IP address parsed by yourdomain.com, which should be cancelled if it is not configured)

Mx (mx corresponding to yourdomain.com, that is, ip corresponding to A record of mail.yourdomain.com)

Mx:mail.jefflei.com (the MX record should also be canceled if mail.jefflei.com is not configured)

Ip4:202.96.88.88 (directly the IP address of 202.152.186.85)

Some other grammars are as follows:

-Fail, indicating that no other matches have occurred

~ stands for soft failure, which is usually used in testing

? Representative ignores

If more than one ip is sent out, multiple must be included.

You can automatically generate SPF records through the site's wizard: http://www.openspf.org/, the TXT record of the Godaddy domain name resolution panel also provides a wizard to set up SPF records, which is very convenient.

Check whether the SPF record settings are correct

If you send a message to check-auth@verifier.port25.com, if the message you receive is: SPF check: pass, the setting is successful.

View the SPF record of a domain name

Under Windows, start menu-> run-> enter cmd, then enter enter, and enter at the command line:

Nslookup-type=txt domain name

You can see the TXT record of the domain name settings.

Under the Unix operating system:

Dig-t txt domain name

Is it helpful for you to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.