The Solution: SPF
The Sender Policy Framework (SPF) is an open standard specifying a technical method to prevent sender address forgery. More precisely, the current version of SPF — called SPFv1 or SPF Classic — protects the envelope sender address, which is used for the delivery of messages. See the box on the right for a quick explanation of the different types of sender addresses in e-mails.
(There are other solutions that protect the header sender address or that do not care at all about who sent the message, only who originally wrote it.)
Even more precisely, SPFv1 allows the owner of a domain to specify their mail sending policy, e.g. which mail servers they use to send mail from their domain. The technology requires two sides to play together: (1) the domain owner publishes this information in an SPF record in the domain's DNS zone, and when someone else's mail server receives a message claiming to come from that domain, then (2) the receiving server can checkwhether the message complies with the domain's stated policy. If, e.g., the message comes from an unknown server, it can be considered a fake.
Once you are confident about the authenticity of the sender address, you can finally "take it for real" and attach reputation to it. While IP-address-based reputation systems like Spamhaus or SpamCop have prevailed so far, reputation will increasingly be based on domains and even individual e-mail addresses in the future, too. Furthermore, additional kinds of policies are planned for a future version of SPF, such as asserting that all of a domain's outgoing mail is S/MIME or PGP signed.
An Example Policy
Let's look at an example to give you an idea of how SPF works. Bob owns the domain example.net. He also sometimes sends mail through his GMail account and contacted GMail's support to identify the correct SPF record for GMail. Since he often receives bounces about messages he didn't send, he decides to publish an SPF record in order to reduce the abuse of his domain in e-mail envelopes:
example.net. TXT "v=spf1 mx a:pluto.example.net include:aspmx.googlemail.com -all"
The parts of the SPF record mean the following:
v=spf1SPF version 1
mxthe incoming mail servers (MXes) of the domain are authorized to also send mail for example.net
a:pluto.example.netthe machine pluto.example.net is authorized, too
include:aspmx.googlemail.comeverything considered legitimate by gmail.com is legitimate for example.net, too
-allall other machines are not authorized
This example demonstrates but a small part of SPF's expressiveness. Do not take it as a guideline for building your own record — things might not work out as you expect and legitimate messages might get blocked! Instead, learn more about the record syntax, or get the complete picture by studying the full specification.Community support is available.
The domain sender policies alone are not worth much — it is the receiving mail servers that need to enforce them. Most mail servers support SPF checking either natively or through extensions. Again, you can get community support.
Please try to give a substantial answer. If you wanted to comment on the question or answer, just use the commenting tool. Please remember that you can always revise your answers - no need to answer the same question twice. Also, please don't forget to vote - it really helps to select the best questions and answers!