1
2
3
4
5
6
7Network Working Group M. Wong
8Request for Comments: 4408 W. Schlitt
9Category: Experimental April 2006
10
11
12 Sender Policy Framework (SPF) for
13 Authorizing Use of Domains in E-Mail, Version 1
14
15Status of This Memo
16
17 This memo defines an Experimental Protocol for the Internet
18 community. It does not specify an Internet standard of any kind.
19 Discussion and suggestions for improvement are requested.
20 Distribution of this memo is unlimited.
21
22Copyright Notice
23
24 Copyright (C) The Internet Society (2006).
25
26IESG Note
27
28 The following documents (RFC 4405, RFC 4406, RFC 4407, and RFC 4408)
29 are published simultaneously as Experimental RFCs, although there is
30 no general technical consensus and efforts to reconcile the two
31 approaches have failed. As such, these documents have not received
32 full IETF review and are published "AS-IS" to document the different
33 approaches as they were considered in the MARID working group.
34
35 The IESG takes no position about which approach is to be preferred
36 and cautions the reader that there are serious open issues for each
37 approach and concerns about using them in tandem. The IESG believes
38 that documenting the different approaches does less harm than not
39 documenting them.
40
41 Note that the Sender ID experiment may use DNS records that may have
42 been created for the current SPF experiment or earlier versions in
43 this set of experiments. Depending on the content of the record,
44 this may mean that Sender-ID heuristics would be applied incorrectly
45 to a message. Depending on the actions associated by the recipient
46 with those heuristics, the message may not be delivered or may be
47 discarded on receipt.
48
49 Participants relying on Sender ID experiment DNS records are warned
50 that they may lose valid messages in this set of circumstances.
51 aParticipants publishing SPF experiment DNS records should consider
52 the advice given in section 3.4 of RFC 4406 and may wish to publish
53 both v=spf1 and spf2.0 records to avoid the conflict.
54
55
56
57
58Wong & Schlitt Experimental [Page 1]
59
60RFC 4408 Sender Policy Framework (SPF) April 2006
61
62
63 Participants in the Sender-ID experiment need to be aware that the
64 way Resent-* header fields are used will result in failure to receive
65 legitimate email when interacting with standards-compliant systems
66 (specifically automatic forwarders which comply with the standards by
67 not adding Resent-* headers, and systems which comply with RFC 822
68 but have not yet implemented RFC 2822 Resent-* semantics). It would
69 be inappropriate to advance Sender-ID on the standards track without
70 resolving this interoperability problem.
71
72 The community is invited to observe the success or failure of the two
73 approaches during the two years following publication, in order that
74 a community consensus can be reached in the future.
75
76Abstract
77
78 E-mail on the Internet can be forged in a number of ways. In
79 particular, existing protocols place no restriction on what a sending
80 host can use as the reverse-path of a message or the domain given on
81 the SMTP HELO/EHLO commands. This document describes version 1 of
82 the Sender Policy Framework (SPF) protocol, whereby a domain may
83 explicitly authorize the hosts that are allowed to use its domain
84 name, and a receiving host may check such authorization.
85
86Table of Contents
87
88 1. Introduction ....................................................4
89 1.1. Protocol Status ............................................4
90 1.2. Terminology ................................................5
91 2. Operation .......................................................5
92 2.1. The HELO Identity ..........................................5
93 2.2. The MAIL FROM Identity .....................................5
94 2.3. Publishing Authorization ...................................6
95 2.4. Checking Authorization .....................................6
96 2.5. Interpreting the Result ....................................7
97 2.5.1. None ................................................8
98 2.5.2. Neutral .............................................8
99 2.5.3. Pass ................................................8
100 2.5.4. Fail ................................................8
101 2.5.5. SoftFail ............................................9
102 2.5.6. TempError ...........................................9
103 2.5.7. PermError ...........................................9
104 3. SPF Records .....................................................9
105 3.1. Publishing ................................................10
106 3.1.1. DNS Resource Record Types ..........................10
107 3.1.2. Multiple DNS Records ...............................11
108 3.1.3. Multiple Strings in a Single DNS record ............11
109 3.1.4. Record Size ........................................11
110 3.1.5. Wildcard Records ...................................11
111
112
113
114Wong & Schlitt Experimental [Page 2]
115
116RFC 4408 Sender Policy Framework (SPF) April 2006
117
118
119 4. The check_host() Function ......................................12
120 4.1. Arguments .................................................12
121 4.2. Results ...................................................13
122 4.3. Initial Processing ........................................13
123 4.4. Record Lookup .............................................13
124 4.5. Selecting Records .........................................13
125 4.6. Record Evaluation .........................................14
126 4.6.1. Term Evaluation ....................................14
127 4.6.2. Mechanisms .........................................15
128 4.6.3. Modifiers ..........................................15
129 4.7. Default Result ............................................16
130 4.8. Domain Specification ......................................16
131 5. Mechanism Definitions ..........................................16
132 5.1. "all" .....................................................17
133 5.2. "include" .................................................18
134 5.3. "a" .......................................................19
135 5.4. "mx" ......................................................20
136 5.5. "ptr" .....................................................20
137 5.6. "ip4" and "ip6" ...........................................21
138 5.7. "exists" ..................................................22
139 6. Modifier Definitions ...........................................22
140 6.1. redirect: Redirected Query ................................23
141 6.2. exp: Explanation ..........................................23
142 7. The Received-SPF Header Field ..................................25
143 8. Macros .........................................................27
144 8.1. Macro Definitions .........................................27
145 8.2. Expansion Examples ........................................30
146 9. Implications ...................................................31
147 9.1. Sending Domains ...........................................31
148 9.2. Mailing Lists .............................................32
149 9.3. Forwarding Services and Aliases ...........................32
150 9.4. Mail Services .............................................34
151 9.5. MTA Relays ................................................34
152 10. Security Considerations .......................................35
153 10.1. Processing Limits ........................................35
154 10.2. SPF-Authorized E-Mail May Contain Other False
155 Identities ...............................................37
156 10.3. Spoofed DNS and IP Data ..................................37
157 10.4. Cross-User Forgery .......................................37
158 10.5. Untrusted Information Sources ............................38
159 10.6. Privacy Exposure .........................................38
160 11. Contributors and Acknowledgements .............................38
161 12. IANA Considerations ...........................................39
162 12.1. The SPF DNS Record Type ..................................39
163 12.2. The Received-SPF Mail Header Field .......................39
164 13. References ....................................................39
165 13.1. Normative References .....................................39
166 13.2. Informative References ...................................40
167
168
169
170Wong & Schlitt Experimental [Page 3]
171
172RFC 4408 Sender Policy Framework (SPF) April 2006
173
174
175 Appendix A. Collected ABNF .......................................42
176 Appendix B. Extended Examples ....................................44
177 B.1. Simple Examples ..........................................44
178 B.2. Multiple Domain Example ..................................45
179 B.3. DNSBL Style Example ......................................46
180 B.4. Multiple Requirements Example ............................46
181
1821. Introduction
183
184 The current E-Mail infrastructure has the property that any host
185 injecting mail into the mail system can identify itself as any domain
186 name it wants. Hosts can do this at a variety of levels: in
187 particular, the session, the envelope, and the mail headers.
188 Although this feature is desirable in some circumstances, it is a
189 major obstacle to reducing Unsolicited Bulk E-Mail (UBE, aka spam).
190 Furthermore, many domain name holders are understandably concerned
191 about the ease with which other entities may make use of their domain
192 names, often with malicious intent.
193
194 This document defines a protocol by which domain owners may authorize
195 hosts to use their domain name in the "MAIL FROM" or "HELO" identity.
196 Compliant domain holders publish Sender Policy Framework (SPF)
197 records specifying which hosts are permitted to use their names, and
198 compliant mail receivers use the published SPF records to test the
199 authorization of sending Mail Transfer Agents (MTAs) using a given
200 "HELO" or "MAIL FROM" identity during a mail transaction.
201
202 An additional benefit to mail receivers is that after the use of an
203 identity is verified, local policy decisions about the mail can be
204 made based on the sender's domain, rather than the host's IP address.
205 This is advantageous because reputation of domain names is likely to
206 be more accurate than reputation of host IP addresses. Furthermore,
207 if a claimed identity fails verification, local policy can take
208 stronger action against such E-Mail, such as rejecting it.
209
2101.1. Protocol Status
211
212 SPF has been in development since the summer of 2003 and has seen
213 deployment beyond the developers beginning in December 2003. The
214 design of SPF slowly evolved until the spring of 2004 and has since
215 stabilized. There have been quite a number of forms of SPF, some
216 written up as documents, some submitted as Internet Drafts, and many
217 discussed and debated in development forums.
218
219 The goal of this document is to clearly document the protocol defined
220 by earlier draft specifications of SPF as used in existing
221 implementations. This conception of SPF is sometimes called "SPF
222 Classic". It is understood that particular implementations and
223
224
225
226Wong & Schlitt Experimental [Page 4]
227
228RFC 4408 Sender Policy Framework (SPF) April 2006
229
230
231 deployments may differ from, and build upon, this work. It is hoped
232 that we have nonetheless captured the common understanding of SPF
233 version 1.
234
2351.2. Terminology
236
237 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
238 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
239 document are to be interpreted as described in [RFC2119].
240
241 This document is concerned with the portion of a mail message
242 commonly called "envelope sender", "return path", "reverse path",
243 "bounce address", "2821 FROM", or "MAIL FROM". Since these terms are
244 either not well defined or often used casually, this document defines
245 the "MAIL FROM" identity in Section 2.2. Note that other terms that
246 may superficially look like the common terms, such as "reverse-path",
247 are used only with the defined meanings from normative documents.
248
2492. Operation
250
2512.1. The HELO Identity
252
253 The "HELO" identity derives from either the SMTP HELO or EHLO command
254 (see [RFC2821]). These commands supply the SMTP client (sending
255 host) for the SMTP session. Note that requirements for the domain
256 presented in the EHLO or HELO command are not always clear to the
257 sending party, and SPF clients must be prepared for the "HELO"
258 identity to be malformed or an IP address literal. At the time of
259 this writing, many legitimate E-Mails are delivered with invalid HELO
260 domains.
261
262 It is RECOMMENDED that SPF clients not only check the "MAIL FROM"
263 identity, but also separately check the "HELO" identity by applying
264 the check_host() function (Section 4) to the "HELO" identity as the
265 <sender>.
266
2672.2. The MAIL FROM Identity
268
269 The "MAIL FROM" identity derives from the SMTP MAIL command (see
270 [RFC2821]). This command supplies the "reverse-path" for a message,
271 which generally consists of the sender mailbox, and is the mailbox to
272 which notification messages are to be sent if there are problems
273 delivering the message.
274
275 [RFC2821] allows the reverse-path to be null (see Section 4.5.5 in
276 RFC 2821). In this case, there is no explicit sender mailbox, and
277 such a message can be assumed to be a notification message from the
278 mail system itself. When the reverse-path is null, this document
279
280
281
282Wong & Schlitt Experimental [Page 5]
283
284RFC 4408 Sender Policy Framework (SPF) April 2006
285
286
287 defines the "MAIL FROM" identity to be the mailbox composed of the
288 localpart "postmaster" and the "HELO" identity (which may or may not
289 have been checked separately before).
290
291 SPF clients MUST check the "MAIL FROM" identity. SPF clients check
292 the "MAIL FROM" identity by applying the check_host() function to the
293 "MAIL FROM" identity as the <sender>.
294
2952.3. Publishing Authorization
296
297 An SPF-compliant domain MUST publish a valid SPF record as described
298 in Section 3. This record authorizes the use of the domain name in
299 the "HELO" and "MAIL FROM" identities by the MTAs it specifies.
300
301 If domain owners choose to publish SPF records, it is RECOMMENDED
302 that they end in "-all", or redirect to other records that do, so
303 that a definitive determination of authorization can be made.
304
305 Domain holders may publish SPF records that explicitly authorize no
306 hosts if mail should never originate using that domain.
307
308 When changing SPF records, care must be taken to ensure that there is
309 a transition period so that the old policy remains valid until all
310 legitimate E-Mail has been checked.
311
3122.4. Checking Authorization
313
314 A mail receiver can perform a set of SPF checks for each mail message
315 it receives. An SPF check tests the authorization of a client host
316 to emit mail with a given identity. Typically, such checks are done
317 by a receiving MTA, but can be performed elsewhere in the mail
318 processing chain so long as the required information is available and
319 reliable. At least the "MAIL FROM" identity MUST be checked, but it
320 is RECOMMENDED that the "HELO" identity also be checked beforehand.
321
322 Without explicit approval of the domain owner, checking other
323 identities against SPF version 1 records is NOT RECOMMENDED because
324 there are cases that are known to give incorrect results. For
325 example, almost all mailing lists rewrite the "MAIL FROM" identity
326 (see Section 9.2), but some do not change any other identities in the
327 message. The scenario described in Section 9.3, sub-section 1.2, is
328 another example. Documents that define other identities should
329 define the method for explicit approval.
330
331 It is possible that mail receivers will use the SPF check as part of
332 a larger set of tests on incoming mail. The results of other tests
333 may influence whether or not a particular SPF check is performed.
334 For example, finding the sending host's IP address on a local white
335
336
337
338Wong & Schlitt Experimental [Page 6]
339
340RFC 4408 Sender Policy Framework (SPF) April 2006
341
342
343 list may cause all other tests to be skipped and all mail from that
344 host to be accepted.
345
346 When a mail receiver decides to perform an SPF check, it MUST use a
347 correctly-implemented check_host() function (Section 4) evaluated
348 with the correct parameters. Although the test as a whole is
349 optional, once it has been decided to perform a test it must be
350 performed as specified so that the correct semantics are preserved
351 between publisher and receiver.
352
353 To make the test, the mail receiver MUST evaluate the check_host()
354 function with the arguments set as follows:
355
356 <ip> - the IP address of the SMTP client that is emitting the
357 mail, either IPv4 or IPv6.
358
359 <domain> - the domain portion of the "MAIL FROM" or "HELO" identity.
360
361 <sender> - the "MAIL FROM" or "HELO" identity.
362
363 Note that the <domain> argument may not be a well-formed domain name.
364 For example, if the reverse-path was null, then the EHLO/HELO domain
365 is used, with its associated problems (see Section 2.1). In these
366 cases, check_host() is defined in Section 4.3 to return a "None"
367 result.
368
369 Although invalid, malformed, or non-existent domains cause SPF checks
370 to return "None" because no SPF record can be found, it has long been
371 the policy of many MTAs to reject E-Mail from such domains,
372 especially in the case of invalid "MAIL FROM". In order to prevent
373 the circumvention of SPF records, rejecting E-Mail from invalid
374 domains should be considered.
375
376 Implementations must take care to correctly extract the <domain> from
377 the data given with the SMTP MAIL FROM command as many MTAs will
378 still accept such things as source routes (see [RFC2821], Appendix
379 C), the %-hack (see [RFC1123]), and bang paths (see [RFC1983]).
380 These archaic features have been maliciously used to bypass security
381 systems.
382
3832.5. Interpreting the Result
384
385 This section describes how software that performs the authorization
386 should interpret the results of the check_host() function. The
387 authorization check SHOULD be performed during the processing of the
388 SMTP transaction that sends the mail. This allows errors to be
389 returned directly to the sending MTA by way of SMTP replies.
390
391
392
393
394Wong & Schlitt Experimental [Page 7]
395
396RFC 4408 Sender Policy Framework (SPF) April 2006
397
398
399 Performing the authorization after the SMTP transaction has finished
400 may cause problems, such as the following: (1) It may be difficult to
401 accurately extract the required information from potentially
402 deceptive headers; (2) legitimate E-Mail may fail because the
403 sender's policy may have since changed.
404
405 Generating non-delivery notifications to forged identities that have
406 failed the authorization check is generally abusive and against the
407 explicit wishes of the identity owner.
408
4092.5.1. None
410
411 A result of "None" means that no records were published by the domain
412 or that no checkable sender domain could be determined from the given
413 identity. The checking software cannot ascertain whether or not the
414 client host is authorized.
415
4162.5.2. Neutral
417
418 The domain owner has explicitly stated that he cannot or does not
419 want to assert whether or not the IP address is authorized. A
420 "Neutral" result MUST be treated exactly like the "None" result; the
421 distinction exists only for informational purposes. Treating
422 "Neutral" more harshly than "None" would discourage domain owners
423 from testing the use of SPF records (see Section 9.1).
424
4252.5.3. Pass
426
427 A "Pass" result means that the client is authorized to inject mail
428 with the given identity. The domain can now, in the sense of
429 reputation, be considered responsible for sending the message.
430 Further policy checks can now proceed with confidence in the
431 legitimate use of the identity.
432
4332.5.4. Fail
434
435 A "Fail" result is an explicit statement that the client is not
436 authorized to use the domain in the given identity. The checking
437 software can choose to mark the mail based on this or to reject the
438 mail outright.
439
440 If the checking software chooses to reject the mail during the SMTP
441 transaction, then it SHOULD use an SMTP reply code of 550 (see
442 [RFC2821]) and, if supported, the 5.7.1 Delivery Status Notification
443 (DSN) code (see [RFC3464]), in addition to an appropriate reply text.
444 The check_host() function may return either a default explanation
445 string or one from the domain that published the SPF records (see
446 Section 6.2). If the information does not originate with the
447
448
449
450Wong & Schlitt Experimental [Page 8]
451
452RFC 4408 Sender Policy Framework (SPF) April 2006
453
454
455 checking software, it should be made clear that the text is provided
456 by the sender's domain. For example:
457
458 550-5.7.1 SPF MAIL FROM check failed:
459 550-5.7.1 The domain example.com explains:
460 550 5.7.1 Please see http://www.example.com/mailpolicy.html
461
4622.5.5. SoftFail
463
464 A "SoftFail" result should be treated as somewhere between a "Fail"
465 and a "Neutral". The domain believes the host is not authorized but
466 is not willing to make that strong of a statement. Receiving
467 software SHOULD NOT reject the message based solely on this result,
468 but MAY subject the message to closer scrutiny than normal.
469
470 The domain owner wants to discourage the use of this host and thus
471 desires limited feedback when a "SoftFail" result occurs. For
472 example, the recipient's Mail User Agent (MUA) could highlight the
473 "SoftFail" status, or the receiving MTA could give the sender a
474 message using a technique called "greylisting" whereby the MTA can
475 issue an SMTP reply code of 451 (4.3.0 DSN code) with a note the
476 first time the message is received, but accept it the second time.
477
4782.5.6. TempError
479
480 A "TempError" result means that the SPF client encountered a
481 transient error while performing the check. Checking software can
482 choose to accept or temporarily reject the message. If the message
483 is rejected during the SMTP transaction for this reason, the software
484 SHOULD use an SMTP reply code of 451 and, if supported, the 4.4.3 DSN
485 code.
486
4872.5.7. PermError
488
489 A "PermError" result means that the domain's published records could
490 not be correctly interpreted. This signals an error condition that
491 requires manual intervention to be resolved, as opposed to the
492 TempError result. Be aware that if the domain owner uses macros
493 (Section 8), it is possible that this result is due to the checked
494 identities having an unexpected format.
495
4963. SPF Records
497
498 An SPF record is a DNS Resource Record (RR) that declares which hosts
499 are, and are not, authorized to use a domain name for the "HELO" and
500 "MAIL FROM" identities. Loosely, the record partitions all hosts
501 into permitted and not-permitted sets (though some hosts might fall
502 into neither category).
503
504
505
506Wong & Schlitt Experimental [Page 9]
507
508RFC 4408 Sender Policy Framework (SPF) April 2006
509
510
511 The SPF record is a single string of text. An example record is the
512 following:
513
514 v=spf1 +mx a:colo.example.com/28 -all
515
516 This record has a version of "spf1" and three directives: "+mx",
517 "a:colo.example.com/28" (the + is implied), and "-all".
518
5193.1. Publishing
520
521 Domain owners wishing to be SPF compliant must publish SPF records
522 for the hosts that are used in the "MAIL FROM" and "HELO" identities.
523 The SPF records are placed in the DNS tree at the host name it
524 pertains to, not a subdomain under it, such as is done with SRV
525 records. This is the same whether the TXT or SPF RR type (see
526 Section 3.1.1) is used.
527
528 The example above in Section 3 might be published via these lines in
529 a domain zone file:
530
531 example.com. TXT "v=spf1 +mx a:colo.example.com/28 -all"
532 smtp-out.example.com. TXT "v=spf1 a -all"
533
534 When publishing via TXT records, beware of other TXT records
535 published there for other purposes. They may cause problems with
536 size limits (see Section 3.1.4).
537
5383.1.1. DNS Resource Record Types
539
540 This document defines a new DNS RR of type SPF, code 99. The format
541 of this type is identical to the TXT RR [RFC1035]. For either type,
542 the character content of the record is encoded as [US-ASCII].
543
544 It is recognized that the current practice (using a TXT record) is
545 not optimal, but it is necessary because there are a number of DNS
546 server and resolver implementations in common use that cannot handle
547 the new RR type. The two-record-type scheme provides a forward path
548 to the better solution of using an RR type reserved for this purpose.
549
550 An SPF-compliant domain name SHOULD have SPF records of both RR
551 types. A compliant domain name MUST have a record of at least one
552 type. If a domain has records of both types, they MUST have
553 identical content. For example, instead of publishing just one
554 record as in Section 3.1 above, it is better to publish:
555
556 example.com. IN TXT "v=spf1 +mx a:colo.example.com/28 -all"
557 example.com. IN SPF "v=spf1 +mx a:colo.example.com/28 -all"
558
559
560
561
562Wong & Schlitt Experimental [Page 10]
563
564RFC 4408 Sender Policy Framework (SPF) April 2006
565
566
567 Example RRs in this document are shown with the TXT record type;
568 however, they could be published with the SPF type or with both
569 types.
570
5713.1.2. Multiple DNS Records
572
573 A domain name MUST NOT have multiple records that would cause an
574 authorization check to select more than one record. See Section 4.5
575 for the selection rules.
576
5773.1.3. Multiple Strings in a Single DNS record
578
579 As defined in [RFC1035] sections 3.3.14 and 3.3, a single text DNS
580 record (either TXT or SPF RR types) can be composed of more than one
581 string. If a published record contains multiple strings, then the
582 record MUST be treated as if those strings are concatenated together
583 without adding spaces. For example:
584
585 IN TXT "v=spf1 .... first" "second string..."
586
587 MUST be treated as equivalent to
588
589 IN TXT "v=spf1 .... firstsecond string..."
590
591 SPF or TXT records containing multiple strings are useful in
592 constructing records that would exceed the 255-byte maximum length of
593 a string within a single TXT or SPF RR record.
594
5953.1.4. Record Size
596
597 The published SPF record for a given domain name SHOULD remain small
598 enough that the results of a query for it will fit within 512 octets.
599 This will keep even older DNS implementations from falling over to
600 TCP. Since the answer size is dependent on many things outside the
601 scope of this document, it is only possible to give this guideline:
602 If the combined length of the DNS name and the text of all the
603 records of a given type (TXT or SPF) is under 450 characters, then
604 DNS answers should fit in UDP packets. Note that when computing the
605 sizes for queries of the TXT format, one must take into account any
606 other TXT records published at the domain name. Records that are too
607 long to fit in a single UDP packet MAY be silently ignored by SPF
608 clients.
609
6103.1.5. Wildcard Records
611
612 Use of wildcard records for publishing is not recommended. Care must
613 be taken if wildcard records are used. If a domain publishes
614 wildcard MX records, it may want to publish wildcard declarations,
615
616
617
618Wong & Schlitt Experimental [Page 11]
619
620RFC 4408 Sender Policy Framework (SPF) April 2006
621
622
623 subject to the same requirements and problems. In particular, the
624 declaration must be repeated for any host that has any RR records at
625 all, and for subdomains thereof. For example, the example given in
626 [RFC1034], Section 4.3.3, could be extended with the following:
627
628 X.COM. MX 10 A.X.COM
629 X.COM. TXT "v=spf1 a:A.X.COM -all"
630
631 *.X.COM. MX 10 A.X.COM
632 *.X.COM. TXT "v=spf1 a:A.X.COM -all"
633
634 A.X.COM. A 1.2.3.4
635 A.X.COM. MX 10 A.X.COM
636 A.X.COM. TXT "v=spf1 a:A.X.COM -all"
637
638 *.A.X.COM. MX 10 A.X.COM
639 *.A.X.COM. TXT "v=spf1 a:A.X.COM -all"
640
641 Notice that SPF records must be repeated twice for every name within
642 the domain: once for the name, and once with a wildcard to cover the
643 tree under the name.
644
645 Use of wildcards is discouraged in general as they cause every name
646 under the domain to exist and queries against arbitrary names will
647 never return RCODE 3 (Name Error).
648
6494. The check_host() Function
650
651 The check_host() function fetches SPF records, parses them, and
652 interprets them to determine whether a particular host is or is not
653 permitted to send mail with a given identity. Mail receivers that
654 perform this check MUST correctly evaluate the check_host() function
655 as described here.
656
657 Implementations MAY use a different algorithm than the canonical
658 algorithm defined here, so long as the results are the same in all
659 cases.
660
6614.1. Arguments
662
663 The check_host() function takes these arguments:
664
665 <ip> - the IP address of the SMTP client that is emitting the
666 mail, either IPv4 or IPv6.
667
668 <domain> - the domain that provides the sought-after authorization
669 information; initially, the domain portion of the "MAIL
670 FROM" or "HELO" identity.
671
672
673
674Wong & Schlitt Experimental [Page 12]
675
676RFC 4408 Sender Policy Framework (SPF) April 2006
677
678
679 <sender> - the "MAIL FROM" or "HELO" identity.
680
681 The domain portion of <sender> will usually be the same as the
682 <domain> argument when check_host() is initially evaluated. However,
683 this will generally not be true for recursive evaluations (see
684 Section 5.2 below).
685
686 Actual implementations of the check_host() function may need
687 additional arguments.
688
6894.2. Results
690
691 The function check_host() can return one of several results described
692 in Section 2.5. Based on the result, the action to be taken is
693 determined by the local policies of the receiver.
694
6954.3. Initial Processing
696
697 If the <domain> is malformed (label longer than 63 characters, zero-
698 length label not at the end, etc.) or is not a fully qualified domain
699 name, or if the DNS lookup returns "domain does not exist" (RCODE 3),
700 check_host() immediately returns the result "None".
701
702 If the <sender> has no localpart, substitute the string "postmaster"
703 for the localpart.
704
7054.4. Record Lookup
706
707 In accordance with how the records are published (see Section 3.1
708 above), a DNS query needs to be made for the <domain> name, querying
709 for either RR type TXT, SPF, or both. If both SPF and TXT RRs are
710 looked up, the queries MAY be done in parallel.
711
712 If all DNS lookups that are made return a server failure (RCODE 2),
713 or other error (RCODE other than 0 or 3), or time out, then
714 check_host() exits immediately with the result "TempError".
715
7164.5. Selecting Records
717
718 Records begin with a version section:
719
720 record = version terms *SP
721 version = "v=spf1"
722
723 Starting with the set of records that were returned by the lookup,
724 record selection proceeds in two steps:
725
726
727
728
729
730Wong & Schlitt Experimental [Page 13]
731
732RFC 4408 Sender Policy Framework (SPF) April 2006
733
734
735 1. Records that do not begin with a version section of exactly
736 "v=spf1" are discarded. Note that the version section is
737 terminated either by an SP character or the end of the record. A
738 record with a version section of "v=spf10" does not match and must
739 be discarded.
740
741 2. If any records of type SPF are in the set, then all records of
742 type TXT are discarded.
743
744 After the above steps, there should be exactly one record remaining
745 and evaluation can proceed. If there are two or more records
746 remaining, then check_host() exits immediately with the result of
747 "PermError".
748
749 If no matching records are returned, an SPF client MUST assume that
750 the domain makes no SPF declarations. SPF processing MUST stop and
751 return "None".
752
7534.6. Record Evaluation
754
755 After one SPF record has been selected, the check_host() function
756 parses and interprets it to find a result for the current test. If
757 there are any syntax errors, check_host() returns immediately with
758 the result "PermError".
759
760 Implementations MAY choose to parse the entire record first and
761 return "PermError" if the record is not syntactically well formed.
762 However, in all cases, any syntax errors anywhere in the record MUST
763 be detected.
764
7654.6.1. Term Evaluation
766
767 There are two types of terms: mechanisms and modifiers. A record
768 contains an ordered list of these as specified in the following
769 Augmented Backus-Naur Form (ABNF).
770
771 terms = *( 1*SP ( directive / modifier ) )
772
773 directive = [ qualifier ] mechanism
774 qualifier = "+" / "-" / "?" / "~"
775 mechanism = ( all / include
776 / A / MX / PTR / IP4 / IP6 / exists )
777 modifier = redirect / explanation / unknown-modifier
778 unknown-modifier = name "=" macro-string
779
780 name = ALPHA *( ALPHA / DIGIT / "-" / "_" / "." )
781
782 Most mechanisms allow a ":" or "/" character after the name.
783
784
785
786Wong & Schlitt Experimental [Page 14]
787
788RFC 4408 Sender Policy Framework (SPF) April 2006
789
790
791 Modifiers always contain an equals ('=') character immediately after
792 the name, and before any ":" or "/" characters that may be part of
793 the macro-string.
794
795 Terms that do not contain any of "=", ":", or "/" are mechanisms, as
796 defined in Section 5.
797
798 As per the definition of the ABNF notation in [RFC4234], mechanism
799 and modifier names are case-insensitive.
800
8014.6.2. Mechanisms
802
803 Each mechanism is considered in turn from left to right. If there
804 are no more mechanisms, the result is specified in Section 4.7.
805
806 When a mechanism is evaluated, one of three things can happen: it can
807 match, not match, or throw an exception.
808
809 If it matches, processing ends and the qualifier value is returned as
810 the result of that record. If it does not match, processing
811 continues with the next mechanism. If it throws an exception,
812 mechanism processing ends and the exception value is returned.
813
814 The possible qualifiers, and the results they return are as follows:
815
816 "+" Pass
817 "-" Fail
818 "~" SoftFail
819 "?" Neutral
820
821 The qualifier is optional and defaults to "+".
822
823 When a mechanism matches and the qualifier is "-", then a "Fail"
824 result is returned and the explanation string is computed as
825 described in Section 6.2.
826
827 The specific mechanisms are described in Section 5.
828
8294.6.3. Modifiers
830
831 Modifiers are not mechanisms: they do not return match or not-match.
832 Instead they provide additional information. Although modifiers do
833 not directly affect the evaluation of the record, the "redirect"
834 modifier has an effect after all the mechanisms have been evaluated.
835
836
837
838
839
840
841
842Wong & Schlitt Experimental [Page 15]
843
844RFC 4408 Sender Policy Framework (SPF) April 2006
845
846
8474.7. Default Result
848
849 If none of the mechanisms match and there is no "redirect" modifier,
850 then the check_host() returns a result of "Neutral", just as if
851 "?all" were specified as the last directive. If there is a
852 "redirect" modifier, check_host() proceeds as defined in Section 6.1.
853
854 Note that records SHOULD always use either a "redirect" modifier or
855 an "all" mechanism to explicitly terminate processing.
856
857 For example:
858
859 v=spf1 +mx -all
860 or
861 v=spf1 +mx redirect=_spf.example.com
862
8634.8. Domain Specification
864
865 Several of these mechanisms and modifiers have a <domain-spec>
866 section. The <domain-spec> string is macro expanded (see Section 8).
867 The resulting string is the common presentation form of a fully-
868 qualified DNS name: a series of labels separated by periods. This
869 domain is called the <target-name> in the rest of this document.
870
871 Note: The result of the macro expansion is not subject to any further
872 escaping. Hence, this facility cannot produce all characters that
873 are legal in a DNS label (e.g., the control characters). However,
874 this facility is powerful enough to express legal host names and
875 common utility labels (such as "_spf") that are used in DNS.
876
877 For several mechanisms, the <domain-spec> is optional. If it is not
878 provided, the <domain> is used as the <target-name>.
879
8805. Mechanism Definitions
881
882 This section defines two types of mechanisms.
883
884 Basic mechanisms contribute to the language framework. They do not
885 specify a particular type of authorization scheme.
886
887 all
888 include
889
890 Designated sender mechanisms are used to designate a set of <ip>
891 addresses as being permitted or not permitted to use the <domain> for
892 sending mail.
893
894
895
896
897
898Wong & Schlitt Experimental [Page 16]
899
900RFC 4408 Sender Policy Framework (SPF) April 2006
901
902
903 a
904 mx
905 ptr
906 ip4
907 ip6
908 exists
909
910 The following conventions apply to all mechanisms that perform a
911 comparison between <ip> and an IP address at any point:
912
913 If no CIDR-length is given in the directive, then <ip> and the IP
914 address are compared for equality. (Here, CIDR is Classless Inter-
915 Domain Routing.)
916
917 If a CIDR-length is specified, then only the specified number of
918 high-order bits of <ip> and the IP address are compared for equality.
919
920 When any mechanism fetches host addresses to compare with <ip>, when
921 <ip> is an IPv4 address, A records are fetched, when <ip> is an IPv6
922 address, AAAA records are fetched. Even if the SMTP connection is
923 via IPv6, an IPv4-mapped IPv6 IP address (see [RFC3513], Section
924 2.5.5) MUST still be considered an IPv4 address.
925
926 Several mechanisms rely on information fetched from DNS. For these
927 DNS queries, except where noted, if the DNS server returns an error
928 (RCODE other than 0 or 3) or the query times out, the mechanism
929 throws the exception "TempError". If the server returns "domain does
930 not exist" (RCODE 3), then evaluation of the mechanism continues as
931 if the server returned no error (RCODE 0) and zero answer records.
932
9335.1. "all"
934
935 all = "all"
936
937 The "all" mechanism is a test that always matches. It is used as the
938 rightmost mechanism in a record to provide an explicit default.
939
940 For example:
941
942 v=spf1 a mx -all
943
944 Mechanisms after "all" will never be tested. Any "redirect" modifier
945 (Section 6.1) has no effect when there is an "all" mechanism.
946
947
948
949
950
951
952
953
954Wong & Schlitt Experimental [Page 17]
955
956RFC 4408 Sender Policy Framework (SPF) April 2006
957
958
9595.2. "include"
960
961 include = "include" ":" domain-spec
962
963 The "include" mechanism triggers a recursive evaluation of
964 check_host(). The domain-spec is expanded as per Section 8. Then
965 check_host() is evaluated with the resulting string as the <domain>.
966 The <ip> and <sender> arguments remain the same as in the current
967 evaluation of check_host().
968
969 In hindsight, the name "include" was poorly chosen. Only the
970 evaluated result of the referenced SPF record is used, rather than
971 acting as if the referenced SPF record was literally included in the
972 first. For example, evaluating a "-all" directive in the referenced
973 record does not terminate the overall processing and does not
974 necessarily result in an overall "Fail". (Better names for this
975 mechanism would have been "if-pass", "on-pass", etc.)
976
977 The "include" mechanism makes it possible for one domain to designate
978 multiple administratively-independent domains. For example, a vanity
979 domain "example.net" might send mail using the servers of
980 administratively-independent domains example.com and example.org.
981
982 Example.net could say
983
984 IN TXT "v=spf1 include:example.com include:example.org -all"
985
986 This would direct check_host() to, in effect, check the records of
987 example.com and example.org for a "Pass" result. Only if the host
988 were not permitted for either of those domains would the result be
989 "Fail".
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010Wong & Schlitt Experimental [Page 18]
1011
1012RFC 4408 Sender Policy Framework (SPF) April 2006
1013
1014
1015 Whether this mechanism matches, does not match, or throws an
1016 exception depends on the result of the recursive evaluation of
1017 check_host():
1018
1019 +---------------------------------+---------------------------------+
1020 | A recursive check_host() result | Causes the "include" mechanism |
1021 | of: | to: |
1022 +---------------------------------+---------------------------------+
1023 | Pass | match |
1024 | | |
1025 | Fail | not match |
1026 | | |
1027 | SoftFail | not match |
1028 | | |
1029 | Neutral | not match |
1030 | | |
1031 | TempError | throw TempError |
1032 | | |
1033 | PermError | throw PermError |
1034 | | |
1035 | None | throw PermError |
1036 +---------------------------------+---------------------------------+
1037
1038 The "include" mechanism is intended for crossing administrative
1039 boundaries. Although it is possible to use includes to consolidate
1040 multiple domains that share the same set of designated hosts, domains
1041 are encouraged to use redirects where possible, and to minimize the
1042 number of includes within a single administrative domain. For
1043 example, if example.com and example.org were managed by the same
1044 entity, and if the permitted set of hosts for both domains was
1045 "mx:example.com", it would be possible for example.org to specify
1046 "include:example.com", but it would be preferable to specify
1047 "redirect=example.com" or even "mx:example.com".
1048
10495.3. "a"
1050
1051 This mechanism matches if <ip> is one of the <target-name>'s IP
1052 addresses.
1053
1054 A = "a" [ ":" domain-spec ] [ dual-cidr-length ]
1055
1056 An address lookup is done on the <target-name>. The <ip> is compared
1057 to the returned address(es). If any address matches, the mechanism
1058 matches.
1059
1060
1061
1062
1063
1064
1065
1066Wong & Schlitt Experimental [Page 19]
1067
1068RFC 4408 Sender Policy Framework (SPF) April 2006
1069
1070
10715.4. "mx"
1072
1073 This mechanism matches if <ip> is one of the MX hosts for a domain
1074 name.
1075
1076 MX = "mx" [ ":" domain-spec ] [ dual-cidr-length ]
1077
1078 check_host() first performs an MX lookup on the <target-name>. Then
1079 it performs an address lookup on each MX name returned. The <ip> is
1080 compared to each returned IP address. To prevent Denial of Service
1081 (DoS) attacks, more than 10 MX names MUST NOT be looked up during the
1082 evaluation of an "mx" mechanism (see Section 10). If any address
1083 matches, the mechanism matches.
1084
1085 Note regarding implicit MXs: If the <target-name> has no MX records,
1086 check_host() MUST NOT pretend the target is its single MX, and MUST
1087 NOT default to an A lookup on the <target-name> directly. This
1088 behavior breaks with the legacy "implicit MX" rule. See [RFC2821],
1089 Section 5. If such behavior is desired, the publisher should specify
1090 an "a" directive.
1091
10925.5. "ptr"
1093
1094 This mechanism tests whether the DNS reverse-mapping for <ip> exists
1095 and correctly points to a domain name within a particular domain.
1096
1097 PTR = "ptr" [ ":" domain-spec ]
1098
1099 First, the <ip>'s name is looked up using this procedure: perform a
1100 DNS reverse-mapping for <ip>, looking up the corresponding PTR record
1101 in "in-addr.arpa." if the address is an IPv4 one and in "ip6.arpa."
1102 if it is an IPv6 address. For each record returned, validate the
1103 domain name by looking up its IP address. To prevent DoS attacks,
1104 more than 10 PTR names MUST NOT be looked up during the evaluation of
1105 a "ptr" mechanism (see Section 10). If <ip> is among the returned IP
1106 addresses, then that domain name is validated. In pseudocode:
1107
1108 sending-domain_names := ptr_lookup(sending-host_IP); if more than 10
1109 sending-domain_names are found, use at most 10. for each name in
1110 (sending-domain_names) {
1111 IP_addresses := a_lookup(name);
1112 if the sending-domain_IP is one of the IP_addresses {
1113 validated-sending-domain_names += name;
1114 } }
1115
1116 Check all validated domain names to see if they end in the
1117 <target-name> domain. If any do, this mechanism matches. If no
1118 validated domain name can be found, or if none of the validated
1119
1120
1121
1122Wong & Schlitt Experimental [Page 20]
1123
1124RFC 4408 Sender Policy Framework (SPF) April 2006
1125
1126
1127 domain names end in the <target-name>, this mechanism fails to match.
1128 If a DNS error occurs while doing the PTR RR lookup, then this
1129 mechanism fails to match. If a DNS error occurs while doing an A RR
1130 lookup, then that domain name is skipped and the search continues.
1131
1132 Pseudocode:
1133
1134 for each name in (validated-sending-domain_names) {
1135 if name ends in <domain-spec>, return match.
1136 if name is <domain-spec>, return match.
1137 }
1138 return no-match.
1139
1140 This mechanism matches if the <target-name> is either an ancestor of
1141 a validated domain name or if the <target-name> and a validated
1142 domain name are the same. For example: "mail.example.com" is within
1143 the domain "example.com", but "mail.bad-example.com" is not.
1144
1145 Note: Use of this mechanism is discouraged because it is slow, it is
1146 not as reliable as other mechanisms in cases of DNS errors, and it
1147 places a large burden on the arpa name servers. If used, proper PTR
1148 records must be in place for the domain's hosts and the "ptr"
1149 mechanism should be one of the last mechanisms checked.
1150
11515.6. "ip4" and "ip6"
1152
1153 These mechanisms test whether <ip> is contained within a given IP
1154 network.
1155
1156 IP4 = "ip4" ":" ip4-network [ ip4-cidr-length ]
1157 IP6 = "ip6" ":" ip6-network [ ip6-cidr-length ]
1158
1159 ip4-cidr-length = "/" 1*DIGIT
1160 ip6-cidr-length = "/" 1*DIGIT
1161 dual-cidr-length = [ ip4-cidr-length ] [ "/" ip6-cidr-length ]
1162
1163 ip4-network = qnum "." qnum "." qnum "." qnum
1164 qnum = DIGIT ; 0-9
1165 / %x31-39 DIGIT ; 10-99
1166 / "1" 2DIGIT ; 100-199
1167 / "2" %x30-34 DIGIT ; 200-249
1168 / "25" %x30-35 ; 250-255
1169 ; as per conventional dotted quad notation. e.g., 192.0.2.0
1170 ip6-network = <as per [RFC 3513], section 2.2>
1171 ; e.g., 2001:DB8::CD30
1172
1173 The <ip> is compared to the given network. If CIDR-length high-order
1174 bits match, the mechanism matches.
1175
1176
1177
1178Wong & Schlitt Experimental [Page 21]
1179
1180RFC 4408 Sender Policy Framework (SPF) April 2006
1181
1182
1183 If ip4-cidr-length is omitted, it is taken to be "/32". If
1184 ip6-cidr-length is omitted, it is taken to be "/128". It is not
1185 permitted to omit parts of the IP address instead of using CIDR
1186 notations. That is, use 192.0.2.0/24 instead of 192.0.2.
1187
11885.7. "exists"
1189
1190 This mechanism is used to construct an arbitrary domain name that is
1191 used for a DNS A record query. It allows for complicated schemes
1192 involving arbitrary parts of the mail envelope to determine what is
1193 permitted.
1194
1195 exists = "exists" ":" domain-spec
1196
1197 The domain-spec is expanded as per Section 8. The resulting domain
1198 name is used for a DNS A RR lookup. If any A record is returned,
1199 this mechanism matches. The lookup type is A even when the
1200 connection type is IPv6.
1201
1202 Domains can use this mechanism to specify arbitrarily complex
1203 queries. For example, suppose example.com publishes the record:
1204
1205 v=spf1 exists:%{ir}.%{l1r+-}._spf.%{d} -all
1206
1207 The <target-name> might expand to
1208 "1.2.0.192.someuser._spf.example.com". This makes fine-grained
1209 decisions possible at the level of the user and client IP address.
1210
1211 This mechanism enables queries that mimic the style of tests that
1212 existing anti-spam DNS blacklists (DNSBL) use.
1213
12146. Modifier Definitions
1215
1216 Modifiers are name/value pairs that provide additional information.
1217 Modifiers always have an "=" separating the name and the value.
1218
1219 The modifiers defined in this document ("redirect" and "exp") MAY
1220 appear anywhere in the record, but SHOULD appear at the end, after
1221 all mechanisms. Ordering of these two modifiers does not matter.
1222 These two modifiers MUST NOT appear in a record more than once each.
1223 If they do, then check_host() exits with a result of "PermError".
1224
1225 Unrecognized modifiers MUST be ignored no matter where in a record,
1226 or how often. This allows implementations of this document to
1227 gracefully handle records with modifiers that are defined in other
1228 specifications.
1229
1230
1231
1232
1233
1234Wong & Schlitt Experimental [Page 22]
1235
1236RFC 4408 Sender Policy Framework (SPF) April 2006
1237
1238
12396.1. redirect: Redirected Query
1240
1241 If all mechanisms fail to match, and a "redirect" modifier is
1242 present, then processing proceeds as follows:
1243
1244 redirect = "redirect" "=" domain-spec
1245
1246 The domain-spec portion of the redirect section is expanded as per
1247 the macro rules in Section 8. Then check_host() is evaluated with
1248 the resulting string as the <domain>. The <ip> and <sender>
1249 arguments remain the same as current evaluation of check_host().
1250
1251 The result of this new evaluation of check_host() is then considered
1252 the result of the current evaluation with the exception that if no
1253 SPF record is found, or if the target-name is malformed, the result
1254 is a "PermError" rather than "None".
1255
1256 Note that the newly-queried domain may itself specify redirect
1257 processing.
1258
1259 This facility is intended for use by organizations that wish to apply
1260 the same record to multiple domains. For example:
1261
1262 la.example.com. TXT "v=spf1 redirect=_spf.example.com"
1263 ny.example.com. TXT "v=spf1 redirect=_spf.example.com"
1264 sf.example.com. TXT "v=spf1 redirect=_spf.example.com"
1265 _spf.example.com. TXT "v=spf1 mx:example.com -all"
1266
1267 In this example, mail from any of the three domains is described by
1268 the same record. This can be an administrative advantage.
1269
1270 Note: In general, the domain "A" cannot reliably use a redirect to
1271 another domain "B" not under the same administrative control. Since
1272 the <sender> stays the same, there is no guarantee that the record at
1273 domain "B" will correctly work for mailboxes in domain "A",
1274 especially if domain "B" uses mechanisms involving localparts. An
1275 "include" directive may be more appropriate.
1276
1277 For clarity, it is RECOMMENDED that any "redirect" modifier appear as
1278 the very last term in a record.
1279
12806.2. exp: Explanation
1281
1282 explanation = "exp" "=" domain-spec
1283
1284 If check_host() results in a "Fail" due to a mechanism match (such as
1285 "-all"), and the "exp" modifier is present, then the explanation
1286 string returned is computed as described below. If no "exp" modifier
1287
1288
1289
1290Wong & Schlitt Experimental [Page 23]
1291
1292RFC 4408 Sender Policy Framework (SPF) April 2006
1293
1294
1295 is present, then either a default explanation string or an empty
1296 explanation string may be returned.
1297
1298 The <domain-spec> is macro expanded (see Section 8) and becomes the
1299 <target-name>. The DNS TXT record for the <target-name> is fetched.
1300
1301 If <domain-spec> is empty, or there are any DNS processing errors
1302 (any RCODE other than 0), or if no records are returned, or if more
1303 than one record is returned, or if there are syntax errors in the
1304 explanation string, then proceed as if no exp modifier was given.
1305
1306 The fetched TXT record's strings are concatenated with no spaces, and
1307 then treated as an <explain-string>, which is macro-expanded. This
1308 final result is the explanation string. Implementations MAY limit
1309 the length of the resulting explanation string to allow for other
1310 protocol constraints and/or reasonable processing limits. Since the
1311 explanation string is intended for an SMTP response and [RFC2821]
1312 Section 2.4 says that responses are in [US-ASCII], the explanation
1313 string is also limited to US-ASCII.
1314
1315 Software evaluating check_host() can use this string to communicate
1316 information from the publishing domain in the form of a short message
1317 or URL. Software SHOULD make it clear that the explanation string
1318 comes from a third party. For example, it can prepend the macro
1319 string "%{o} explains: " to the explanation, such as shown in Section
1320 2.5.4.
1321
1322 Suppose example.com has this record:
1323
1324 v=spf1 mx -all exp=explain._spf.%{d}
1325
1326 Here are some examples of possible explanation TXT records at
1327 explain._spf.example.com:
1328
1329 "Mail from example.com should only be sent by its own servers."
1330 -- a simple, constant message
1331
1332 "%{i} is not one of %{d}'s designated mail servers."
1333 -- a message with a little more information, including the IP
1334 address that failed the check
1335
1336 "See http://%{d}/why.html?s=%{S}&i=%{I}"
1337 -- a complicated example that constructs a URL with the
1338 arguments to check_host() so that a web page can be
1339 generated with detailed, custom instructions
1340
1341 Note: During recursion into an "include" mechanism, an exp= modifier
1342 from the <target-name> MUST NOT be used. In contrast, when executing
1343
1344
1345
1346Wong & Schlitt Experimental [Page 24]
1347
1348RFC 4408 Sender Policy Framework (SPF) April 2006
1349
1350
1351 a "redirect" modifier, an exp= modifier from the original domain MUST
1352 NOT be used.
1353
13547. The Received-SPF Header Field
1355
1356 It is RECOMMENDED that SMTP receivers record the result of SPF
1357 processing in the message header. If an SMTP receiver chooses to do
1358 so, it SHOULD use the "Received-SPF" header field defined here for
1359 each identity that was checked. This information is intended for the
1360 recipient. (Information intended for the sender is described in
1361 Section 6.2, Explanation.)
1362
1363 The Received-SPF header field is a trace field (see [RFC2822] Section
1364 3.6.7) and SHOULD be prepended to the existing header, above the
1365 Received: field that is generated by the SMTP receiver. It MUST
1366 appear above all other Received-SPF fields in the message. The
1367 header field has the following format:
1368
1369 header-field = "Received-SPF:" [CFWS] result FWS [comment FWS]
1370 [ key-value-list ] CRLF
1371
1372 result = "Pass" / "Fail" / "SoftFail" / "Neutral" /
1373 "None" / "TempError" / "PermError"
1374
1375 key-value-list = key-value-pair *( ";" [CFWS] key-value-pair )
1376 [";"]
1377
1378 key-value-pair = key [CFWS] "=" ( dot-atom / quoted-string )
1379
1380 key = "client-ip" / "envelope-from" / "helo" /
1381 "problem" / "receiver" / "identity" /
1382 mechanism / "x-" name / name
1383
1384 identity = "mailfrom" ; for the "MAIL FROM" identity
1385 / "helo" ; for the "HELO" identity
1386 / name ; other identities
1387
1388 dot-atom = <unquoted word as per [RFC2822]>
1389 quoted-string = <quoted string as per [RFC2822]>
1390 comment = <comment string as per [RFC2822]>
1391 CFWS = <comment or folding white space as per [RFC2822]>
1392 FWS = <folding white space as per [RFC2822]>
1393 CRLF = <standard end-of-line token as per [RFC2822]>
1394
1395 The header field SHOULD include a "(...)" style <comment> after the
1396 result, conveying supporting information for the result, such as
1397 <ip>, <sender>, and <domain>.
1398
1399
1400
1401
1402Wong & Schlitt Experimental [Page 25]
1403
1404RFC 4408 Sender Policy Framework (SPF) April 2006
1405
1406
1407 The following key-value pairs are designed for later machine parsing.
1408 SPF clients SHOULD give enough information so that the SPF results
1409 can be verified. That is, at least "client-ip", "helo", and, if the
1410 "MAIL FROM" identity was checked, "envelope-from".
1411
1412 client-ip the IP address of the SMTP client
1413
1414 envelope-from the envelope sender mailbox
1415
1416 helo the host name given in the HELO or EHLO command
1417
1418 mechanism the mechanism that matched (if no mechanisms matched,
1419 substitute the word "default")
1420
1421 problem if an error was returned, details about the error
1422
1423 receiver the host name of the SPF client
1424
1425 identity the identity that was checked; see the <identity> ABNF
1426 rule
1427
1428 Other keys may be defined by SPF clients. Until a new key name
1429 becomes widely accepted, new key names should start with "x-".
1430
1431 SPF clients MUST make sure that the Received-SPF header field does
1432 not contain invalid characters, is not excessively long, and does not
1433 contain malicious data that has been provided by the sender.
1434
1435 Examples of various header styles that could be generated are the
1436 following:
1437
1438 Received-SPF: Pass (mybox.example.org: domain of
1439 myname@example.com designates 192.0.2.1 as permitted sender)
1440 receiver=mybox.example.org; client-ip=192.0.2.1;
1441 envelope-from=<myname@example.com>; helo=foo.example.com;
1442
1443 Received-SPF: Fail (mybox.example.org: domain of
1444 myname@example.com does not designate
1445 192.0.2.1 as permitted sender)
1446 identity=mailfrom; client-ip=192.0.2.1;
1447 envelope-from=<myname@example.com>;
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458Wong & Schlitt Experimental [Page 26]
1459
1460RFC 4408 Sender Policy Framework (SPF) April 2006
1461
1462
14638. Macros
1464
14658.1. Macro Definitions
1466
1467 Many mechanisms and modifiers perform macro expansion on part of the
1468 term.
1469
1470 domain-spec = macro-string domain-end
1471 domain-end = ( "." toplabel [ "." ] ) / macro-expand
1472
1473 toplabel = ( *alphanum ALPHA *alphanum ) /
1474 ( 1*alphanum "-" *( alphanum / "-" ) alphanum )
1475 ; LDH rule plus additional TLD restrictions
1476 ; (see [RFC3696], Section 2)
1477 alphanum = ALPHA / DIGIT
1478
1479 explain-string = *( macro-string / SP )
1480
1481 macro-string = *( macro-expand / macro-literal )
1482 macro-expand = ( "%{" macro-letter transformers *delimiter "}" )
1483 / "%%" / "%_" / "%-"
1484 macro-literal = %x21-24 / %x26-7E
1485 ; visible characters except "%"
1486 macro-letter = "s" / "l" / "o" / "d" / "i" / "p" / "h" /
1487 "c" / "r" / "t"
1488 transformers = *DIGIT [ "r" ]
1489 delimiter = "." / "-" / "+" / "," / "/" / "_" / "="
1490
1491 A literal "%" is expressed by "%%".
1492
1493 "%_" expands to a single " " space.
1494 "%-" expands to a URL-encoded space, viz., "%20".
1495
1496 The following macro letters are expanded in term arguments:
1497
1498 s = <sender>
1499 l = local-part of <sender>
1500 o = domain of <sender>
1501 d = <domain>
1502 i = <ip>
1503 p = the validated domain name of <ip>
1504 v = the string "in-addr" if <ip> is ipv4, or "ip6" if <ip> is ipv6
1505 h = HELO/EHLO domain
1506
1507
1508
1509
1510
1511
1512
1513
1514Wong & Schlitt Experimental [Page 27]
1515
1516RFC 4408 Sender Policy Framework (SPF) April 2006
1517
1518
1519 The following macro letters are allowed only in "exp" text:
1520
1521 c = SMTP client IP (easily readable format)
1522 r = domain name of host performing the check
1523 t = current timestamp
1524
1525 A '%' character not followed by a '{', '%', '-', or '_' character is
1526 a syntax error. So
1527
1528 -exists:%(ir).sbl.spamhaus.example.org
1529
1530 is incorrect and will cause check_host() to return a "PermError".
1531 Instead, say
1532
1533 -exists:%{ir}.sbl.spamhaus.example.org
1534
1535 Optional transformers are the following:
1536
1537 *DIGIT = zero or more digits
1538 'r' = reverse value, splitting on dots by default
1539
1540 If transformers or delimiters are provided, the replacement value for
1541 a macro letter is split into parts. After performing any reversal
1542 operation and/or removal of left-hand parts, the parts are rejoined
1543 using "." and not the original splitting characters.
1544
1545 By default, strings are split on "." (dots). Note that no special
1546 treatment is given to leading, trailing, or consecutive delimiters,
1547 and so the list of parts may contain empty strings. Older
1548 implementations of SPF prohibit trailing dots in domain names, so
1549 trailing dots should not be published by domain owners, although they
1550 must be accepted by implementations conforming to this document.
1551 Macros may specify delimiter characters that are used instead of ".".
1552
1553 The 'r' transformer indicates a reversal operation: if the client IP
1554 address were 192.0.2.1, the macro %{i} would expand to "192.0.2.1"
1555 and the macro %{ir} would expand to "1.2.0.192".
1556
1557 The DIGIT transformer indicates the number of right-hand parts to
1558 use, after optional reversal. If a DIGIT is specified, the value
1559 MUST be nonzero. If no DIGITs are specified, or if the value
1560 specifies more parts than are available, all the available parts are
1561 used. If the DIGIT was 5, and only 3 parts were available, the macro
1562 interpreter would pretend the DIGIT was 3. Implementations MUST
1563 support at least a value of 128, as that is the maximum number of
1564 labels in a domain name.
1565
1566
1567
1568
1569
1570Wong & Schlitt Experimental [Page 28]
1571
1572RFC 4408 Sender Policy Framework (SPF) April 2006
1573
1574
1575 The "s" macro expands to the <sender> argument. It is an E-Mail
1576 address with a localpart, an "@" character, and a domain. The "l"
1577 macro expands to just the localpart. The "o" macro expands to just
1578 the domain part. Note that these values remain the same during
1579 recursive and chained evaluations due to "include" and/or "redirect".
1580 Note also that if the original <sender> had no localpart, the
1581 localpart was set to "postmaster" in initial processing (see Section
1582 4.3).
1583
1584 For IPv4 addresses, both the "i" and "c" macros expand to the
1585 standard dotted-quad format.
1586
1587 For IPv6 addresses, the "i" macro expands to a dot-format address; it
1588 is intended for use in %{ir}. The "c" macro may expand to any of the
1589 hexadecimal colon-format addresses specified in [RFC3513], Section
1590 2.2. It is intended for humans to read.
1591
1592 The "p" macro expands to the validated domain name of <ip>. The
1593 procedure for finding the validated domain name is defined in Section
1594 5.5. If the <domain> is present in the list of validated domains, it
1595 SHOULD be used. Otherwise, if a subdomain of the <domain> is
1596 present, it SHOULD be used. Otherwise, any name from the list may be
1597 used. If there are no validated domain names or if a DNS error
1598 occurs, the string "unknown" is used.
1599
1600 The "r" macro expands to the name of the receiving MTA. This SHOULD
1601 be a fully qualified domain name, but if one does not exist (as when
1602 the checking is done by a MUA) or if policy restrictions dictate
1603 otherwise, the word "unknown" SHOULD be substituted. The domain name
1604 may be different from the name found in the MX record that the client
1605 MTA used to locate the receiving MTA.
1606
1607 The "t" macro expands to the decimal representation of the
1608 approximate number of seconds since the Epoch (Midnight, January 1,
1609 1970, UTC). This is the same value as is returned by the POSIX
1610 time() function in most standards-compliant libraries.
1611
1612 When the result of macro expansion is used in a domain name query, if
1613 the expanded domain name exceeds 253 characters (the maximum length
1614 of a domain name), the left side is truncated to fit, by removing
1615 successive domain labels until the total length does not exceed 253
1616 characters.
1617
1618 Uppercased macros expand exactly as their lowercased equivalents, and
1619 are then URL escaped. URL escaping must be performed for characters
1620 not in the "uric" set, which is defined in [RFC3986].
1621
1622
1623
1624
1625
1626Wong & Schlitt Experimental [Page 29]
1627
1628RFC 4408 Sender Policy Framework (SPF) April 2006
1629
1630
1631 Note: Care must be taken so that macro expansion for legitimate
1632 E-Mail does not exceed the 63-character limit on DNS labels. The
1633 localpart of E-Mail addresses, in particular, can have more than 63
1634 characters between dots.
1635
1636 Note: Domains should avoid using the "s", "l", "o", or "h" macros in
1637 conjunction with any mechanism directive. Although these macros are
1638 powerful and allow per-user records to be published, they severely
1639 limit the ability of implementations to cache results of check_host()
1640 and they reduce the effectiveness of DNS caches.
1641
1642 Implementations should be aware that if no directive processed during
1643 the evaluation of check_host() contains an "s", "l", "o", or "h"
1644 macro, then the results of the evaluation can be cached on the basis
1645 of <domain> and <ip> alone for as long as the shortest Time To Live
1646 (TTL) of all the DNS records involved.
1647
16488.2. Expansion Examples
1649
1650 The <sender> is strong-bad@email.example.com.
1651 The IPv4 SMTP client IP is 192.0.2.3.
1652 The IPv6 SMTP client IP is 2001:DB8::CB01.
1653 The PTR domain name of the client IP is mx.example.org.
1654
1655 macro expansion
1656 ------- ----------------------------
1657 %{s} strong-bad@email.example.com
1658 %{o} email.example.com
1659 %{d} email.example.com
1660 %{d4} email.example.com
1661 %{d3} email.example.com
1662 %{d2} example.com
1663 %{d1} com
1664 %{dr} com.example.email
1665 %{d2r} example.email
1666 %{l} strong-bad
1667 %{l-} strong.bad
1668 %{lr} strong-bad
1669 %{lr-} bad.strong
1670 %{l1r-} strong
1671
1672
1673
1674
1675
1676
1677
1678
1679
1680
1681
1682Wong & Schlitt Experimental [Page 30]
1683
1684RFC 4408 Sender Policy Framework (SPF) April 2006
1685
1686
1687 macro-string expansion
1688 --------------------------------------------------------------------
1689 %{ir}.%{v}._spf.%{d2} 3.2.0.192.in-addr._spf.example.com
1690 %{lr-}.lp._spf.%{d2} bad.strong.lp._spf.example.com
1691
1692 %{lr-}.lp.%{ir}.%{v}._spf.%{d2}
1693 bad.strong.lp.3.2.0.192.in-addr._spf.example.com
1694
1695 %{ir}.%{v}.%{l1r-}.lp._spf.%{d2}
1696 3.2.0.192.in-addr.strong.lp._spf.example.com
1697
1698 %{d2}.trusted-domains.example.net
1699 example.com.trusted-domains.example.net
1700
1701 IPv6:
1702 %{ir}.%{v}._spf.%{d2} 1.0.B.C.0.0.0.0.
1703 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.B.D.0.1.0.0.2.ip6._spf.example.com
1704
17059. Implications
1706
1707 This section outlines the major implications that adoption of this
1708 document will have on various entities involved in Internet E-Mail.
1709 It is intended to make clear to the reader where this document
1710 knowingly affects the operation of such entities. This section is
1711 not a "how-to" manual, or a "best practices" document, and it is not
1712 a comprehensive list of what such entities should do in light of this
1713 document.
1714
1715 This section is non-normative.
1716
17179.1. Sending Domains
1718
1719 Domains that wish to be compliant with this specification will need
1720 to determine the list of hosts that they allow to use their domain
1721 name in the "HELO" and "MAIL FROM" identities. It is recognized that
1722 forming such a list is not just a simple technical exercise, but
1723 involves policy decisions with both technical and administrative
1724 considerations.
1725
1726 It can be helpful to publish records that include a "tracking
1727 exists:" mechanism. By looking at the name server logs, a rough list
1728 may then be generated. For example:
1729
1730 v=spf1 exists:_h.%{h}._l.%{l}._o.%{o}._i.%{i}._spf.%{d} ?all
1731
1732
1733
1734
1735
1736
1737
1738Wong & Schlitt Experimental [Page 31]
1739
1740RFC 4408 Sender Policy Framework (SPF) April 2006
1741
1742
17439.2. Mailing Lists
1744
1745 Mailing lists must be aware of how they re-inject mail that is sent
1746 to the list. Mailing lists MUST comply with the requirements in
1747 [RFC2821], Section 3.10, and [RFC1123], Section 5.3.6, that say that
1748 the reverse-path MUST be changed to be the mailbox of a person or
1749 other entity who administers the list. Whereas the reasons for
1750 changing the reverse-path are many and long-standing, SPF adds
1751 enforcement to this requirement.
1752
1753 In practice, almost all mailing list software in use already complies
1754 with this requirement. Mailing lists that do not comply may or may
1755 not encounter problems depending on how access to the list is
1756 restricted. Such lists that are entirely internal to a domain (only
1757 people in the domain can send to or receive from the list) are not
1758 affected.
1759
17609.3. Forwarding Services and Aliases
1761
1762 Forwarding services take mail that is received at a mailbox and
1763 direct it to some external mailbox. At the time of this writing, the
1764 near-universal practice of such services is to use the original "MAIL
1765 FROM" of a message when re-injecting it for delivery to the external
1766 mailbox. [RFC1123] and [RFC2821] describe this action as an "alias"
1767 rather than a "mail list". This means that the external mailbox's
1768 MTA sees all such mail in a connection from a host of the forwarding
1769 service, and so the "MAIL FROM" identity will not, in general, pass
1770 authorization.
1771
1772 There are three places that techniques can be used to ameliorate this
1773 problem.
1774
1775 1. The beginning, when E-Mail is first sent.
1776
1777 1. "Neutral" results could be given for IP addresses that may be
1778 forwarders, instead of "Fail" results. For example:
1779
1780 "v=spf1 mx -exists:%{ir}.sbl.spamhaus.example.org ?all"
1781
1782 This would cause a lookup on an anti-spam DNS blacklist
1783 (DNSBL) and cause a result of "Fail" only for E-Mail coming
1784 from listed sources. All other E-Mail, including E-Mail sent
1785 through forwarders, would receive a "Neutral" result. By
1786 checking the DNSBL after the known good sources, problems with
1787 incorrect listing on the DNSBL are greatly reduced.
1788
1789
1790
1791
1792
1793
1794Wong & Schlitt Experimental [Page 32]
1795
1796RFC 4408 Sender Policy Framework (SPF) April 2006
1797
1798
1799 2. The "MAIL FROM" identity could have additional information in
1800 the localpart that cryptographically identifies the mail as
1801 coming from an authorized source. In this case, such an SPF
1802 record could be used:
1803
1804 "v=spf1 mx exists:%{l}._spf_verify.%{d} -all"
1805
1806 Then, a specialized DNS server can be set up to serve the
1807 _spf_verify subdomain that validates the localpart. Although
1808 this requires an extra DNS lookup, this happens only when the
1809 E-Mail would otherwise be rejected as not coming from a known
1810 good source.
1811
1812 Note that due to the 63-character limit for domain labels,
1813 this approach only works reliably if the localpart signature
1814 scheme is guaranteed either to only produce localparts with a
1815 maximum of 63 characters or to gracefully handle truncated
1816 localparts.
1817
1818 3. Similarly, a specialized DNS server could be set up that will
1819 rate-limit the E-Mail coming from unexpected IP addresses.
1820
1821 "v=spf1 mx exists:%{ir}._spf_rate.%{d} -all"
1822
1823 4. SPF allows the creation of per-user policies for special
1824 cases. For example, the following SPF record and appropriate
1825 wildcard DNS records can be used:
1826
1827 "v=spf1 mx redirect=%{l1r+}._at_.%{o}._spf.%{d}"
1828
1829 2. The middle, when E-Mail is forwarded.
1830
1831 1. Forwarding services can solve the problem by rewriting the
1832 "MAIL FROM" to be in their own domain. This means that mail
1833 bounced from the external mailbox will have to be re-bounced
1834 by the forwarding service. Various schemes to do this exist
1835 though they vary widely in complexity and resource
1836 requirements on the part of the forwarding service.
1837
1838 2. Several popular MTAs can be forced from "alias" semantics to
1839 "mailing list" semantics by configuring an additional alias
1840 with "owner-" prepended to the original alias name (e.g., an
1841 alias of "friends: george@example.com, fred@example.org" would
1842 need another alias of the form "owner-friends: localowner").
1843
1844
1845
1846
1847
1848
1849
1850Wong & Schlitt Experimental [Page 33]
1851
1852RFC 4408 Sender Policy Framework (SPF) April 2006
1853
1854
1855 3. The end, when E-Mail is received.
1856
1857 1. If the owner of the external mailbox wishes to trust the
1858 forwarding service, he can direct the external mailbox's MTA
1859 to skip SPF tests when the client host belongs to the
1860 forwarding service.
1861
1862 2. Tests against other identities, such as the "HELO" identity,
1863 may be used to override a failed test against the "MAIL FROM"
1864 identity.
1865
1866 3. For larger domains, it may not be possible to have a complete
1867 or accurate list of forwarding services used by the owners of
1868 the domain's mailboxes. In such cases, whitelists of
1869 generally-recognized forwarding services could be employed.
1870
18719.4. Mail Services
1872
1873 Service providers that offer mail services to third-party domains,
1874 such as sending of bulk mail, may want to adjust their setup in light
1875 of the authorization check described in this document. If the "MAIL
1876 FROM" identity used for such E-Mail uses the domain of the service
1877 provider, then the provider needs only to ensure that its sending
1878 host is authorized by its own SPF record, if any.
1879
1880 If the "MAIL FROM" identity does not use the mail service provider's
1881 domain, then extra care must be taken. The SPF record format has
1882 several options for the third-party domain to authorize the service
1883 provider's MTAs to send mail on its behalf. For mail service
1884 providers, such as ISPs, that have a wide variety of customers using
1885 the same MTA, steps should be taken to prevent cross-customer forgery
1886 (see Section 10.4).
1887
18889.5. MTA Relays
1889
1890 The authorization check generally precludes the use of arbitrary MTA
1891 relays between sender and receiver of an E-Mail message.
1892
1893 Within an organization, MTA relays can be effectively deployed.
1894 However, for purposes of this document, such relays are effectively
1895 transparent. The SPF authorization check is a check between border
1896 MTAs of different domains.
1897
1898 For mail senders, this means that published SPF records must
1899 authorize any MTAs that actually send across the Internet. Usually,
1900 these are just the border MTAs as internal MTAs simply forward mail
1901 to these MTAs for delivery.
1902
1903
1904
1905
1906Wong & Schlitt Experimental [Page 34]
1907
1908RFC 4408 Sender Policy Framework (SPF) April 2006
1909
1910
1911 Mail receivers will generally want to perform the authorization check
1912 at the border MTAs, specifically including all secondary MXs. This
1913 allows mail that fails to be rejected during the SMTP session rather
1914 than bounced. Internal MTAs then do not perform the authorization
1915 test. To perform the authorization test other than at the border,
1916 the host that first transferred the message to the organization must
1917 be determined, which can be difficult to extract from the message
1918 header. Testing other than at the border is not recommended.
1919
192010. Security Considerations
1921
192210.1. Processing Limits
1923
1924 As with most aspects of E-Mail, there are a number of ways that
1925 malicious parties could use the protocol as an avenue for a
1926 Denial-of-Service (DoS) attack. The processing limits outlined here
1927 are designed to prevent attacks such as the following:
1928
1929 o A malicious party could create an SPF record with many references
1930 to a victim's domain and send many E-Mails to different SPF
1931 clients; those SPF clients would then create a DoS attack. In
1932 effect, the SPF clients are being used to amplify the attacker's
1933 bandwidth by using fewer bytes in the SMTP session than are used
1934 by the DNS queries. Using SPF clients also allows the attacker to
1935 hide the true source of the attack.
1936
1937 o Whereas implementations of check_host() are supposed to limit the
1938 number of DNS lookups, malicious domains could publish records
1939 that exceed these limits in an attempt to waste computation effort
1940 at their targets when they send them mail. Malicious domains
1941 could also design SPF records that cause particular
1942 implementations to use excessive memory or CPU usage, or to
1943 trigger bugs.
1944
1945 o Malicious parties could send a large volume of mail purporting to
1946 come from the intended target to a wide variety of legitimate mail
1947 hosts. These legitimate machines would then present a DNS load on
1948 the target as they fetched the relevant records.
1949
1950 Of these, the case of a third party referenced in the SPF record is
1951 the easiest for a DoS attack to effectively exploit. As a result,
1952 limits that may seem reasonable for an individual mail server can
1953 still allow an unreasonable amount of bandwidth amplification.
1954 Therefore, the processing limits need to be quite low.
1955
1956 SPF implementations MUST limit the number of mechanisms and modifiers
1957 that do DNS lookups to at most 10 per SPF check, including any
1958 lookups caused by the use of the "include" mechanism or the
1959
1960
1961
1962Wong & Schlitt Experimental [Page 35]
1963
1964RFC 4408 Sender Policy Framework (SPF) April 2006
1965
1966
1967 "redirect" modifier. If this number is exceeded during a check, a
1968 PermError MUST be returned. The "include", "a", "mx", "ptr", and
1969 "exists" mechanisms as well as the "redirect" modifier do count
1970 against this limit. The "all", "ip4", and "ip6" mechanisms do not
1971 require DNS lookups and therefore do not count against this limit.
1972 The "exp" modifier does not count against this limit because the DNS
1973 lookup to fetch the explanation string occurs after the SPF record
1974 has been evaluated.
1975
1976 When evaluating the "mx" and "ptr" mechanisms, or the %{p} macro,
1977 there MUST be a limit of no more than 10 MX or PTR RRs looked up and
1978 checked.
1979
1980 SPF implementations SHOULD limit the total amount of data obtained
1981 from the DNS queries. For example, when DNS over TCP or EDNS0 are
1982 available, there may need to be an explicit limit to how much data
1983 will be accepted to prevent excessive bandwidth usage or memory usage
1984 and DoS attacks.
1985
1986 MTAs or other processors MAY also impose a limit on the maximum
1987 amount of elapsed time to evaluate check_host(). Such a limit SHOULD
1988 allow at least 20 seconds. If such a limit is exceeded, the result
1989 of authorization SHOULD be "TempError".
1990
1991 Domains publishing records SHOULD try to keep the number of "include"
1992 mechanisms and chained "redirect" modifiers to a minimum. Domains
1993 SHOULD also try to minimize the amount of other DNS information
1994 needed to evaluate a record. This can be done by choosing directives
1995 that require less DNS information and placing lower-cost mechanisms
1996 earlier in the SPF record.
1997
1998 For example, consider a domain set up as follows:
1999
2000 example.com. IN MX 10 mx.example.com.
2001 mx.example.com. IN A 192.0.2.1
2002 a.example.com. IN TXT "v=spf1 mx:example.com -all"
2003 b.example.com. IN TXT "v=spf1 a:mx.example.com -all"
2004 c.example.com. IN TXT "v=spf1 ip4:192.0.2.1 -all"
2005
2006 Evaluating check_host() for the domain "a.example.com" requires the
2007 MX records for "example.com", and then the A records for the listed
2008 hosts. Evaluating for "b.example.com" requires only the A records.
2009 Evaluating for "c.example.com" requires none.
2010
2011 However, there may be administrative considerations: using "a" over
2012 "ip4" allows hosts to be renumbered easily. Using "mx" over "a"
2013 allows the set of mail hosts to be changed easily.
2014
2015
2016
2017
2018Wong & Schlitt Experimental [Page 36]
2019
2020RFC 4408 Sender Policy Framework (SPF) April 2006
2021
2022
202310.2. SPF-Authorized E-Mail May Contain Other False Identities
2024
2025 The "MAIL FROM" and "HELO" identity authorizations must not be
2026 construed to provide more assurance than they do. It is entirely
2027 possible for a malicious sender to inject a message using his own
2028 domain in the identities used by SPF, to have that domain's SPF
2029 record authorize the sending host, and yet the message can easily
2030 list other identities in its header. Unless the user or the MUA
2031 takes care to note that the authorized identity does not match the
2032 other more commonly-presented identities (such as the From: header
2033 field), the user may be lulled into a false sense of security.
2034
203510.3. Spoofed DNS and IP Data
2036
2037 There are two aspects of this protocol that malicious parties could
2038 exploit to undermine the validity of the check_host() function:
2039
2040 o The evaluation of check_host() relies heavily on DNS. A malicious
2041 attacker could attack the DNS infrastructure and cause
2042 check_host() to see spoofed DNS data, and then return incorrect
2043 results. This could include returning "Pass" for an <ip> value
2044 where the actual domain's record would evaluate to "Fail". See
2045 [RFC3833] for a description of DNS weaknesses.
2046
2047 o The client IP address, <ip>, is assumed to be correct. A
2048 malicious attacker could spoof TCP sequence numbers to make mail
2049 appear to come from a permitted host for a domain that the
2050 attacker is impersonating.
2051
205210.4. Cross-User Forgery
2053
2054 By definition, SPF policies just map domain names to sets of
2055 authorized MTAs, not whole E-Mail addresses to sets of authorized
2056 users. Although the "l" macro (Section 8) provides a limited way to
2057 define individual sets of authorized MTAs for specific E-Mail
2058 addresses, it is generally impossible to verify, through SPF, the use
2059 of specific E-Mail addresses by individual users of the same MTA.
2060
2061 It is up to mail services and their MTAs to directly prevent
2062 cross-user forgery: based on SMTP AUTH ([RFC2554]), users should be
2063 restricted to using only those E-Mail addresses that are actually
2064 under their control (see [RFC4409], Section 6.1). Another means to
2065 verify the identity of individual users is message cryptography such
2066 as PGP ([RFC2440]) or S/MIME ([RFC3851]).
2067
2068
2069
2070
2071
2072
2073
2074Wong & Schlitt Experimental [Page 37]
2075
2076RFC 4408 Sender Policy Framework (SPF) April 2006
2077
2078
207910.5. Untrusted Information Sources
2080
2081 SPF uses information supplied by third parties, such as the "HELO"
2082 domain name, the "MAIL FROM" address, and SPF records. This
2083 information is then passed to the receiver in the Received-SPF: trace
2084 fields and possibly returned to the client MTA in the form of an SMTP
2085 rejection message. This information must be checked for invalid
2086 characters and excessively long lines.
2087
2088 When the authorization check fails, an explanation string may be
2089 included in the reject response. Both the sender and the rejecting
2090 receiver need to be aware that the explanation was determined by the
2091 publisher of the SPF record checked and, in general, not the
2092 receiver. The explanation may contain malicious URLs, or it may be
2093 offensive or misleading.
2094
2095 This is probably less of a concern than it may initially seem since
2096 such messages are returned to the sender, and the explanation strings
2097 come from the sender policy published by the domain in the identity
2098 claimed by that very sender. As long as the DSN is not redirected to
2099 someone other than the actual sender, the only people who see
2100 malicious explanation strings are people whose messages claim to be
2101 from domains that publish such strings in their SPF records. In
2102 practice, DSNs can be misdirected, such as when an MTA accepts an
2103 E-Mail and then later generates a DSN to a forged address, or when an
2104 E-Mail forwarder does not direct the DSN back to the original sender.
2105
210610.6. Privacy Exposure
2107
2108 Checking SPF records causes DNS queries to be sent to the domain
2109 owner. These DNS queries, especially if they are caused by the
2110 "exists" mechanism, can contain information about who is sending
2111 E-Mail and likely to which MTA the E-Mail is being sent. This can
2112 introduce some privacy concerns, which may be more or less of an
2113 issue depending on local laws and the relationship between the domain
2114 owner and the person sending the E-Mail.
2115
211611. Contributors and Acknowledgements
2117
2118 This document is largely based on the work of Meng Weng Wong and Mark
2119 Lentczner. Although, as this section acknowledges, many people have
2120 contributed to this document, a very large portion of the writing and
2121 editing are due to Meng and Mark.
2122
2123 This design owes a debt of parentage to [RMX] by Hadmut Danisch and
2124 to [DMP] by Gordon Fecyk. The idea of using a DNS record to check
2125 the legitimacy of an E-Mail address traces its ancestry further back
2126 through messages on the namedroppers mailing list by Paul Vixie
2127
2128
2129
2130Wong & Schlitt Experimental [Page 38]
2131
2132RFC 4408 Sender Policy Framework (SPF) April 2006
2133
2134
2135 [Vixie] (based on suggestion by Jim Miller) and by David Green
2136 [Green].
2137
2138 Philip Gladstone contributed the concept of macros to the
2139 specification, multiplying the expressiveness of the language and
2140 making per-user and per-IP lookups possible.
2141
2142 The authors would also like to thank the literally hundreds of
2143 individuals who have participated in the development of this design.
2144 They are far too numerous to name, but they include the following:
2145
2146 The folks on the spf-discuss mailing list.
2147 The folks on the SPAM-L mailing list.
2148 The folks on the IRTF ASRG mailing list.
2149 The folks on the IETF MARID mailing list.
2150 The folks on #perl.
2151
215212. IANA Considerations
2153
215412.1. The SPF DNS Record Type
2155
2156 The IANA has assigned a new Resource Record Type and Qtype from the
2157 DNS Parameters Registry for the SPF RR type with code 99.
2158
215912.2. The Received-SPF Mail Header Field
2160
2161 Per [RFC3864], the "Received-SPF:" header field is added to the IANA
2162 Permanent Message Header Field Registry. The following is the
2163 registration template:
2164
2165 Header field name: Received-SPF
2166 Applicable protocol: mail ([RFC2822])
2167 Status: Experimental
2168 Author/Change controller: IETF
2169 Specification document(s): RFC 4408
2170 Related information:
2171 Requesting SPF Council review of any proposed changes and
2172 additions to this field are recommended. For information about
2173 the SPF Council see http://www.openspf.org/Council
2174
217513. References
2176
217713.1. Normative References
2178
2179 [RFC1035] Mockapetris, P., "Domain names - implementation and
2180 specification", STD 13, RFC 1035, November 1987.
2181
2182
2183
2184
2185
2186Wong & Schlitt Experimental [Page 39]
2187
2188RFC 4408 Sender Policy Framework (SPF) April 2006
2189
2190
2191 [RFC1123] Braden, R., "Requirements for Internet Hosts - Application
2192 and Support", STD 3, RFC 1123, October 1989.
2193
2194 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
2195 Requirement Levels", BCP 14, RFC 2119, March 1997.
2196
2197 [RFC2821] Klensin, J., "Simple Mail Transfer Protocol", RFC 2821,
2198 April 2001.
2199
2200 [RFC2822] Resnick, P., "Internet Message Format", RFC 2822, April
2201 2001.
2202
2203 [RFC3464] Moore, K. and G. Vaudreuil, "An Extensible Message Format
2204 for Delivery Status Notifications", RFC 3464, January
2205 2003.
2206
2207 [RFC3513] Hinden, R. and S. Deering, "Internet Protocol Version 6
2208 (IPv6) Addressing Architecture", RFC 3513, April 2003.
2209
2210 [RFC3864] Klyne, G., Nottingham, M., and J. Mogul, "Registration
2211 Procedures for Message Header Fields", BCP 90, RFC 3864,
2212 September 2004.
2213
2214 [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
2215 Resource Identifier (URI): Generic Syntax", STD 66, RFC
2216 3986, January 2005.
2217
2218 [RFC4234] Crocker, D. and P. Overell, "Augmented BNF for Syntax
2219 Specifications: ABNF", RFC 4234, October 2005.
2220
2221 [US-ASCII] American National Standards Institute (formerly United
2222 States of America Standards Institute), "USA Code for
2223 Information Interchange, X3.4", 1968.
2224
2225 ANSI X3.4-1968 has been replaced by newer versions with slight
2226 modifications, but the 1968 version remains definitive for
2227 the Internet.
2228
222913.2 Informative References
2230
2231 [RFC1034] Mockapetris, P., "Domain names - concepts and facilities",
2232 STD 13, RFC 1034, November 1987.
2233
2234 [RFC1983] Malkin, G., "Internet Users' Glossary", RFC 1983, August
2235 1996.
2236
2237 [RFC2440] Callas, J., Donnerhacke, L., Finney, H., and R. Thayer,
2238 "OpenPGP Message Format", RFC 2440, November 1998.
2239
2240
2241
2242Wong & Schlitt Experimental [Page 40]
2243
2244RFC 4408 Sender Policy Framework (SPF) April 2006
2245
2246
2247 [RFC2554] Myers, J., "SMTP Service Extension for Authentication",
2248 RFC 2554, March 1999.
2249
2250 [RFC3696] Klensin, J., "Application Techniques for Checking and
2251 Transformation of Names", RFC 3696, February 2004.
2252
2253 [RFC3833] Atkins, D. and R. Austein, "Threat Analysis of the Domain
2254 Name System (DNS)", RFC 3833, August 2004.
2255
2256 [RFC3851] Ramsdell, B., "Secure/Multipurpose Internet Mail
2257 Extensions (S/MIME) Version 3.1 Message Specification",
2258 RFC 3851, July 2004.
2259
2260 [RFC4409] Gellens, R. and J. Klensin, "Message Submission for Mail",
2261 RFC 4409, April 2006.
2262
2263 [RMX] Danish, H., "The RMX DNS RR Type for light weight sender
2264 authentication", Work In Progress
2265
2266 [DMP] Fecyk, G., "Designated Mailers Protocol", Work In Progress
2267
2268 [Vixie] Vixie, P., "Repudiating MAIL FROM", 2002.
2269
2270 [Green] Green, D., "Domain-Authorized SMTP Mail", 2002.
2271
2272
2273
2274
2275
2276
2277
2278
2279
2280
2281
2282
2283
2284
2285
2286
2287
2288
2289
2290
2291
2292
2293
2294
2295
2296
2297
2298Wong & Schlitt Experimental [Page 41]
2299
2300RFC 4408 Sender Policy Framework (SPF) April 2006
2301
2302
2303Appendix A. Collected ABNF
2304
2305 This section is normative and any discrepancies with the ABNF
2306 fragments in the preceding text are to be resolved in favor of this
2307 grammar.
2308
2309 See [RFC4234] for ABNF notation. Please note that as per this ABNF
2310 definition, literal text strings (those in quotes) are case-
2311 insensitive. Hence, "mx" matches "mx", "MX", "mX", and "Mx".
2312
2313 record = version terms *SP
2314 version = "v=spf1"
2315
2316 terms = *( 1*SP ( directive / modifier ) )
2317
2318 directive = [ qualifier ] mechanism
2319 qualifier = "+" / "-" / "?" / "~"
2320 mechanism = ( all / include
2321 / A / MX / PTR / IP4 / IP6 / exists )
2322
2323 all = "all"
2324 include = "include" ":" domain-spec
2325 A = "a" [ ":" domain-spec ] [ dual-cidr-length ]
2326 MX = "mx" [ ":" domain-spec ] [ dual-cidr-length ]
2327 PTR = "ptr" [ ":" domain-spec ]
2328 IP4 = "ip4" ":" ip4-network [ ip4-cidr-length ]
2329 IP6 = "ip6" ":" ip6-network [ ip6-cidr-length ]
2330 exists = "exists" ":" domain-spec
2331
2332 modifier = redirect / explanation / unknown-modifier
2333 redirect = "redirect" "=" domain-spec
2334 explanation = "exp" "=" domain-spec
2335 unknown-modifier = name "=" macro-string
2336
2337 ip4-cidr-length = "/" 1*DIGIT
2338 ip6-cidr-length = "/" 1*DIGIT
2339 dual-cidr-length = [ ip4-cidr-length ] [ "/" ip6-cidr-length ]
2340
2341 ip4-network = qnum "." qnum "." qnum "." qnum
2342 qnum = DIGIT ; 0-9
2343 / %x31-39 DIGIT ; 10-99
2344 / "1" 2DIGIT ; 100-199
2345 / "2" %x30-34 DIGIT ; 200-249
2346 / "25" %x30-35 ; 250-255
2347 ; conventional dotted quad notation. e.g., 192.0.2.0
2348 ip6-network = <as per [RFC 3513], section 2.2>
2349 ; e.g., 2001:DB8::CD30
2350
2351
2352
2353
2354Wong & Schlitt Experimental [Page 42]
2355
2356RFC 4408 Sender Policy Framework (SPF) April 2006
2357
2358
2359 domain-spec = macro-string domain-end
2360 domain-end = ( "." toplabel [ "." ] ) / macro-expand
2361 toplabel = ( *alphanum ALPHA *alphanum ) /
2362 ( 1*alphanum "-" *( alphanum / "-" ) alphanum )
2363 ; LDH rule plus additional TLD restrictions
2364 ; (see [RFC3696], Section 2)
2365
2366 alphanum = ALPHA / DIGIT
2367
2368 explain-string = *( macro-string / SP )
2369
2370 macro-string = *( macro-expand / macro-literal )
2371 macro-expand = ( "%{" macro-letter transformers *delimiter "}" )
2372 / "%%" / "%_" / "%-"
2373 macro-literal = %x21-24 / %x26-7E
2374 ; visible characters except "%"
2375 macro-letter = "s" / "l" / "o" / "d" / "i" / "p" / "h" /
2376 "c" / "r" / "t"
2377 transformers = *DIGIT [ "r" ]
2378 delimiter = "." / "-" / "+" / "," / "/" / "_" / "="
2379
2380 name = ALPHA *( ALPHA / DIGIT / "-" / "_" / "." )
2381
2382 header-field = "Received-SPF:" [CFWS] result FWS [comment FWS]
2383 [ key-value-list ] CRLF
2384
2385 result = "Pass" / "Fail" / "SoftFail" / "Neutral" /
2386 "None" / "TempError" / "PermError"
2387
2388 key-value-list = key-value-pair *( ";" [CFWS] key-value-pair )
2389 [";"]
2390
2391 key-value-pair = key [CFWS] "=" ( dot-atom / quoted-string )
2392
2393 key = "client-ip" / "envelope-from" / "helo" /
2394 "problem" / "receiver" / "identity" /
2395 mechanism / "x-" name / name
2396
2397 identity = "mailfrom" ; for the "MAIL FROM" identity
2398 / "helo" ; for the "HELO" identity
2399 / name ; other identities
2400
2401 dot-atom = <unquoted word as per [RFC2822]>
2402 quoted-string = <quoted string as per [RFC2822]>
2403 comment = <comment string as per [RFC2822]>
2404 CFWS = <comment or folding white space as per [RFC2822]>
2405 FWS = <folding white space as per [RFC2822]>
2406 CRLF = <standard end-of-line token as per [RFC2822]>
2407
2408
2409
2410Wong & Schlitt Experimental [Page 43]
2411
2412RFC 4408 Sender Policy Framework (SPF) April 2006
2413
2414
2415Appendix B. Extended Examples
2416
2417 These examples are based on the following DNS setup:
2418
2419 ; A domain with two mail servers, two hosts
2420 ; and two servers at the domain name
2421 $ORIGIN example.com.
2422 @ MX 10 mail-a
2423 MX 20 mail-b
2424 A 192.0.2.10
2425 A 192.0.2.11
2426 amy A 192.0.2.65
2427 bob A 192.0.2.66
2428 mail-a A 192.0.2.129
2429 mail-b A 192.0.2.130
2430 www CNAME example.com.
2431
2432 ; A related domain
2433 $ORIGIN example.org.
2434 @ MX 10 mail-c
2435 mail-c A 192.0.2.140
2436
2437 ; The reverse IP for those addresses
2438 $ORIGIN 2.0.192.in-addr.arpa.
2439 10 PTR example.com.
2440 11 PTR example.com.
2441 65 PTR amy.example.com.
2442 66 PTR bob.example.com.
2443 129 PTR mail-a.example.com.
2444 130 PTR mail-b.example.com.
2445 140 PTR mail-c.example.org.
2446
2447 ; A rogue reverse IP domain that claims to be
2448 ; something it's not
2449 $ORIGIN 0.0.10.in-addr.arpa.
2450 4 PTR bob.example.com.
2451
2452B.1. Simple Examples
2453
2454 These examples show various possible published records for
2455 example.com and which values if <ip> would cause check_host() to
2456 return "Pass". Note that <domain> is "example.com".
2457
2458 v=spf1 +all
2459 -- any <ip> passes
2460
2461 v=spf1 a -all
2462 -- hosts 192.0.2.10 and 192.0.2.11 pass
2463
2464
2465
2466Wong & Schlitt Experimental [Page 44]
2467
2468RFC 4408 Sender Policy Framework (SPF) April 2006
2469
2470
2471 v=spf1 a:example.org -all
2472 -- no sending hosts pass since example.org has no A records
2473
2474 v=spf1 mx -all
2475 -- sending hosts 192.0.2.129 and 192.0.2.130 pass
2476
2477 v=spf1 mx:example.org -all
2478 -- sending host 192.0.2.140 passes
2479
2480 v=spf1 mx mx:example.org -all
2481 -- sending hosts 192.0.2.129, 192.0.2.130, and 192.0.2.140 pass
2482
2483 v=spf1 mx/30 mx:example.org/30 -all
2484 -- any sending host in 192.0.2.128/30 or 192.0.2.140/30 passes
2485
2486 v=spf1 ptr -all
2487 -- sending host 192.0.2.65 passes (reverse DNS is valid and is in
2488 example.com)
2489 -- sending host 192.0.2.140 fails (reverse DNS is valid, but not
2490 in example.com)
2491 -- sending host 10.0.0.4 fails (reverse IP is not valid)
2492
2493 v=spf1 ip4:192.0.2.128/28 -all
2494 -- sending host 192.0.2.65 fails
2495 -- sending host 192.0.2.129 passes
2496
2497B.2. Multiple Domain Example
2498
2499 These examples show the effect of related records:
2500
2501 example.org: "v=spf1 include:example.com include:example.net -all"
2502
2503 This record would be used if mail from example.org actually came
2504 through servers at example.com and example.net. Example.org's
2505 designated servers are the union of example.com's and example.net's
2506 designated servers.
2507
2508 la.example.org: "v=spf1 redirect=example.org"
2509 ny.example.org: "v=spf1 redirect=example.org"
2510 sf.example.org: "v=spf1 redirect=example.org"
2511
2512 These records allow a set of domains that all use the same mail
2513 system to make use of that mail system's record. In this way, only
2514 the mail system's record needs to be updated when the mail setup
2515 changes. These domains' records never have to change.
2516
2517
2518
2519
2520
2521
2522Wong & Schlitt Experimental [Page 45]
2523
2524RFC 4408 Sender Policy Framework (SPF) April 2006
2525
2526
2527B.3. DNSBL Style Example
2528
2529 Imagine that, in addition to the domain records listed above, there
2530 are these:
2531
2532 $ORIGIN _spf.example.com. mary.mobile-users A
2533 127.0.0.2 fred.mobile-users A 127.0.0.2
2534 15.15.168.192.joel.remote-users A 127.0.0.2
2535 16.15.168.192.joel.remote-users A 127.0.0.2
2536
2537 The following records describe users at example.com who mail from
2538 arbitrary servers, or who mail from personal servers.
2539
2540 example.com:
2541
2542 v=spf1 mx
2543 include:mobile-users._spf.%{d}
2544 include:remote-users._spf.%{d}
2545 -all
2546
2547 mobile-users._spf.example.com:
2548
2549 v=spf1 exists:%{l1r+}.%{d}
2550
2551 remote-users._spf.example.com:
2552
2553 v=spf1 exists:%{ir}.%{l1r+}.%{d}
2554
2555B.4. Multiple Requirements Example
2556
2557 Say that your sender policy requires both that the IP address is
2558 within a certain range and that the reverse DNS for the IP matches.
2559 This can be done several ways, including the following:
2560
2561 example.com. SPF ( "v=spf1 "
2562 "-include:ip4._spf.%{d} "
2563 "-include:ptr._spf.%{d} "
2564 "+all" )
2565 ip4._spf.example.com. SPF "v=spf1 -ip4:192.0.2.0/24 +all"
2566 ptr._spf.example.com. SPF "v=spf1 -ptr +all"
2567
2568 This example shows how the "-include" mechanism can be useful, how an
2569 SPF record that ends in "+all" can be very restrictive, and the use
2570 of De Morgan's Law.
2571
2572
2573
2574
2575
2576
2577
2578Wong & Schlitt Experimental [Page 46]
2579
2580RFC 4408 Sender Policy Framework (SPF) April 2006
2581
2582
2583Authors' Addresses
2584
2585 Meng Weng Wong
2586 Singapore
2587
2588 EMail: mengwong+spf@pobox.com
2589
2590
2591 Wayne Schlitt
2592 4615 Meredeth #9
2593 Lincoln Nebraska, NE 68506
2594 United States of America
2595
2596 EMail: wayne@schlitt.net
2597 URI: http://www.schlitt.net/spf/
2598
2599
2600
2601
2602
2603
2604
2605
2606
2607
2608
2609
2610
2611
2612
2613
2614
2615
2616
2617
2618
2619
2620
2621
2622
2623
2624
2625
2626
2627
2628
2629
2630
2631
2632
2633
2634Wong & Schlitt Experimental [Page 47]
2635
2636RFC 4408 Sender Policy Framework (SPF) April 2006
2637
2638
2639Full Copyright Statement
2640
2641 Copyright (C) The Internet Society (2006).
2642
2643 This document is subject to the rights, licenses and restrictions
2644 contained in BCP 78, and except as set forth therein, the authors
2645 retain all their rights.
2646
2647 This document and the information contained herein are provided on an
2648 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
2649 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
2650 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
2651 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
2652 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
2653 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
2654
2655Intellectual Property
2656
2657 The IETF takes no position regarding the validity or scope of any
2658 Intellectual Property Rights or other rights that might be claimed to
2659 pertain to the implementation or use of the technology described in
2660 this document or the extent to which any license under such rights
2661 might or might not be available; nor does it represent that it has
2662 made any independent effort to identify any such rights. Information
2663 on the procedures with respect to rights in RFC documents can be
2664 found in BCP 78 and BCP 79.
2665
2666 Copies of IPR disclosures made to the IETF Secretariat and any
2667 assurances of licenses to be made available, or the result of an
2668 attempt made to obtain a general license or permission for the use of
2669 such proprietary rights by implementers or users of this
2670 specification can be obtained from the IETF on-line IPR repository at
2671 http://www.ietf.org/ipr.
2672
2673 The IETF invites any interested party to bring to its attention any
2674 copyrights, patents or patent applications, or other proprietary
2675 rights that may cover technology that may be required to implement
2676 this standard. Please address the information to the IETF at
2677 ietf-ipr@ietf.org.
2678
2679Acknowledgement
2680
2681 Funding for the RFC Editor function is provided by the IETF
2682 Administrative Support Activity (IASA).
2683
2684
2685
2686
2687
2688
2689
2690Wong & Schlitt Experimental [Page 48]
2691
2692