docker-mailserver/docs/content/config/best-practices/spf.md
Frederic Werner e20a66864a
docs(deps): bump mkdocs-material to 7.1.6 (#2015)
* docs(deps): bump mkdocs-material to 7.1.6

* chore: trigger preview on changes to preview workflows too

* fix: replace deprecated admonition

Co-authored-by: Brennan Kinney <5098581+polarathene@users.noreply.github.com>
2021-05-31 19:02:56 +12:00

2.4 KiB

title hide
Best Practices | SPF
toc

From Wikipedia:

!!! quote Sender Policy Framework (SPF) is a simple email-validation system designed to detect email spoofing by providing a mechanism to allow receiving mail exchangers to check that incoming mail from a domain comes from a host authorized by that domain's administrators. The list of authorized sending hosts for a domain is published in the Domain Name System (DNS) records for that domain in the form of a specially formatted TXT record. Email spam and phishing often use forged "from" addresses, so publishing and checking SPF records can be considered anti-spam techniques.

!!! note For a more technical review: https://github.com/internetstandards/toolbox-wiki/blob/master/SPF-how-to.md

Add a SPF Record

To add a SPF record in your DNS, insert the following line in your DNS zone:

; MX record must be declared for SPF to work
domain.com. IN  MX 1 mail.domain.com.

; SPF record
domain.com. IN TXT "v=spf1 mx ~all" 

This enables the Softfail mode for SPF. You could first add this SPF record with a very low TTL.
SoftFail is a good setting for getting started and testing, as it lets all email through, with spams tagged as such in the mailbox.

After verification, you might want to change your SPF record to v=spf1 mx -all so as to enforce the HardFail policy. See http://www.open-spf.org/SPF_Record_Syntax for more details about SPF policies.

In any case, increment the SPF record's TTL to its final value.

Backup MX, Secondary MX

For whitelisting a IP Address from the SPF test, you can create a config file (see policyd-spf.conf) and mount that file into /etc/postfix-policyd-spf-python/policyd-spf.conf.

Example:

Create and edit a policyd-spf.conf file here /<your docker-mailserver dir>/config/postfix-policyd-spf.conf:

debugLevel = 1
#0(only errors)-4(complete data received)

skip_addresses = 127.0.0.0/8,::ffff:127.0.0.0/104,::1

# Preferably use IP-Addresses for whitelist lookups:
Whitelist = 192.168.0.0/31,192.168.1.0/30
# Domain_Whitelist = mx1.mybackupmx.com,mx2.mybackupmx.com

Then add this line to docker-compose.yml:

volumes:
  - ./config/postfix-policyd-spf.conf:/etc/postfix-policyd-spf-python/policyd-spf.conf