diff options
Diffstat (limited to 'doc/rfc/rfc7208.txt')
-rw-r--r-- | doc/rfc/rfc7208.txt | 3587 |
1 files changed, 3587 insertions, 0 deletions
diff --git a/doc/rfc/rfc7208.txt b/doc/rfc/rfc7208.txt new file mode 100644 index 0000000..13b7499 --- /dev/null +++ b/doc/rfc/rfc7208.txt @@ -0,0 +1,3587 @@ + + + + + + +Internet Engineering Task Force (IETF) S. Kitterman +Request for Comments: 7208 Kitterman Technical Services +Obsoletes: 4408 April 2014 +Category: Standards Track +ISSN: 2070-1721 + + + Sender Policy Framework (SPF) + for Authorizing Use of Domains in Email, Version 1 + +Abstract + + Email on the Internet can be forged in a number of ways. In + particular, existing protocols place no restriction on what a sending + host can use as the "MAIL FROM" of a message or the domain given on + the SMTP HELO/EHLO commands. This document describes version 1 of + the Sender Policy Framework (SPF) protocol, whereby ADministrative + Management Domains (ADMDs) can explicitly authorize the hosts that + are allowed to use their domain names, and a receiving host can check + such authorization. + + This document obsoletes RFC 4408. + +Status of This Memo + + This is an Internet Standards Track document. + + This document is a product of the Internet Engineering Task Force + (IETF). It represents the consensus of the IETF community. It has + received public review and has been approved for publication by the + Internet Engineering Steering Group (IESG). Further information on + Internet Standards is available in Section 2 of RFC 5741. + + Information about the current status of this document, any errata, + and how to provide feedback on it may be obtained at + http://www.rfc-editor.org/info/rfc7208. + + + + + + + + + + + + + + + +Kitterman Standards Track [Page 1] + +RFC 7208 Sender Policy Framework (SPF) April 2014 + + +Copyright Notice + + Copyright (c) 2014 IETF Trust and the persons identified as the + document authors. All rights reserved. + + This document is subject to BCP 78 and the IETF Trust's Legal + Provisions Relating to IETF Documents + (http://trustee.ietf.org/license-info) in effect on the date of + publication of this document. Please review these documents + carefully, as they describe your rights and restrictions with respect + to this document. Code Components extracted from this document must + include Simplified BSD License text as described in Section 4.e of + the Trust Legal Provisions and are provided without warranty as + described in the Simplified BSD License. + + This document may contain material from IETF Documents or IETF + Contributions published or made publicly available before November + 10, 2008. The person(s) controlling the copyright in some of this + material may not have granted the IETF Trust the right to allow + modifications of such material outside the IETF Standards Process. + Without obtaining an adequate license from the person(s) controlling + the copyright in such materials, this document may not be modified + outside the IETF Standards Process, and derivative works of it may + not be created outside the IETF Standards Process, except to format + it for publication as an RFC or to translate it into languages other + than English. + +Table of Contents + + 1. Introduction ....................................................5 + 1.1. Terminology ................................................5 + 1.1.1. Key Words ...........................................5 + 1.1.2. Imported Definitions ................................5 + 1.1.3. MAIL FROM Definition ................................6 + 1.1.4. HELO Definition .....................................6 + 1.2. check_host() ...............................................6 + 2. Operational Overview ............................................6 + 2.1. Publishing Authorization ...................................6 + 2.2. Checking Authorization .....................................7 + 2.3. The "HELO" Identity ........................................8 + 2.4. The "MAIL FROM" Identity ...................................9 + 2.5. Location of Checks .........................................9 + 2.6. Results of Evaluation ......................................9 + 2.6.1. None ...............................................10 + 2.6.2. Neutral ............................................10 + 2.6.3. Pass ...............................................10 + 2.6.4. Fail ...............................................10 + + + + +Kitterman Standards Track [Page 2] + +RFC 7208 Sender Policy Framework (SPF) April 2014 + + + 2.6.5. Softfail ...........................................10 + 2.6.6. Temperror ..........................................10 + 2.6.7. Permerror ..........................................10 + 3. SPF Records ....................................................11 + 3.1. DNS Resource Records ......................................11 + 3.2. Multiple DNS Records ......................................12 + 3.3. Multiple Strings in a Single DNS Record ...................12 + 3.4. Record Size ...............................................13 + 3.5. Wildcard Records ..........................................13 + 4. The check_host() Function ......................................14 + 4.1. Arguments .................................................14 + 4.2. Results ...................................................15 + 4.3. Initial Processing ........................................15 + 4.4. Record Lookup .............................................15 + 4.5. Selecting Records .........................................15 + 4.6. Record Evaluation .........................................16 + 4.6.1. Term Evaluation ....................................16 + 4.6.2. Mechanisms .........................................16 + 4.6.3. Modifiers ..........................................17 + 4.6.4. DNS Lookup Limits ..................................17 + 4.7. Default Result ............................................18 + 4.8. Domain Specification ......................................19 + 5. Mechanism Definitions ..........................................20 + 5.1. "all" .....................................................21 + 5.2. "include" .................................................21 + 5.3. "a" .......................................................23 + 5.4. "mx" ......................................................23 + 5.5. "ptr" (do not use) ........................................23 + 5.6. "ip4" and "ip6" ...........................................25 + 5.7. "exists" ..................................................25 + 6. Modifier Definitions ...........................................26 + 6.1. redirect: Redirected Query ................................26 + 6.2. exp: Explanation ..........................................27 + 7. Macros .........................................................28 + 7.1. Formal Specification ......................................29 + 7.2. Macro Definitions .........................................29 + 7.3. Macro Processing Details ..................................30 + 7.4. Expansion Examples ........................................32 + 8. Result Handling ................................................33 + 8.1. None ......................................................34 + 8.2. Neutral ...................................................34 + 8.3. Pass ......................................................34 + 8.4. Fail ......................................................35 + 8.5. Softfail ..................................................35 + 8.6. Temperror .................................................36 + 8.7. Permerror .................................................36 + + + + + +Kitterman Standards Track [Page 3] + +RFC 7208 Sender Policy Framework (SPF) April 2014 + + + 9. Recording the Result ...........................................36 + 9.1. The Received-SPF Header Field .............................37 + 9.2. SPF Results in the Authentication-Results Header Field ....39 + 10. Effects on Infrastructure .....................................39 + 10.1. Sending Domains ..........................................40 + 10.1.1. DNS Resource Considerations .......................40 + 10.1.2. Administrator's Considerations ....................41 + 10.1.3. Bounces ...........................................41 + 10.2. Receivers ................................................42 + 10.3. Mediators ................................................42 + 11. Security Considerations .......................................43 + 11.1. Processing Limits ........................................43 + 11.2. SPF-Authorized Email May Contain Other False Identities ..44 + 11.3. Spoofed DNS and IP Data ..................................44 + 11.4. Cross-User Forgery .......................................44 + 11.5. Untrusted Information Sources ............................45 + 11.5.1. Recorded Results ..................................45 + 11.5.2. External Explanations .............................45 + 11.5.3. Macro Expansion ...................................46 + 11.6. Privacy Exposure .........................................46 + 11.7. Delivering Mail Producing a "Fail" Result ................46 + 12. Collected ABNF ................................................46 + 13. Contributors and Acknowledgements .............................48 + 14. IANA Considerations ...........................................49 + 14.1. The SPF DNS Record Type ..................................49 + 14.2. The Received-SPF Mail Header Field .......................50 + 14.3. SPF Modifier Registry ....................................50 + 15. References ....................................................50 + 15.1. Normative References .....................................50 + 15.2. Informative References ...................................51 + Appendix A. Extended Examples .....................................54 + A.1. Simple Examples ............................................55 + A.2. Multiple Domain Example ....................................56 + A.3. DNS Blacklist (DNSBL) Style Example ........................56 + A.4. Multiple Requirements Example ..............................57 + Appendix B. Changes in Implementation Requirements from RFC 4408 ..57 + Appendix C. Further Testing Advice ................................58 + Appendix D. SPF/Mediator Interactions .............................59 + D.1. Originating ADMDs ..........................................59 + D.2. Mediators ..................................................60 + D.3. Receiving ADMDs ............................................60 + Appendix E. Mail Services .........................................61 + Appendix F. MTA Relays ............................................61 + Appendix G. Local Policy Considerations ...........................62 + G.1. Policy for SPF Pass ........................................62 + G.2. Policy for SPF Fail ........................................62 + G.3. Policy for SPF Permerror ...................................63 + G.4. Policy for SPF Temperror ...................................63 + + + +Kitterman Standards Track [Page 4] + +RFC 7208 Sender Policy Framework (SPF) April 2014 + + +1. Introduction + + The current email infrastructure has the property that any host + injecting mail into the system can use any DNS domain name it wants + in each of the various identifiers specified by [RFC5321] and + [RFC5322]. Although this feature is desirable in some circumstances, + it is a major obstacle to reducing Unsolicited Bulk Email (UBE, aka + spam). Furthermore, ADMDs (as described in [RFC5598]) are + understandably concerned about the ease with which other entities can + make use of their domain names, often with malicious intent. + + This document defines a protocol by which ADMDs can authorize hosts + to use their domain names in the "MAIL FROM" or "HELO" identities. + Compliant ADMDs publish Sender Policy Framework (SPF) records in the + DNS specifying which hosts are permitted to use their names, and + compliant mail receivers use the published SPF records to test the + authorization of sending Mail Transfer Agents (MTAs) using a given + "HELO" or "MAIL FROM" identity during a mail transaction. + + An additional benefit to mail receivers is that after the use of an + identity is verified, local policy decisions about the mail can be + made based on the sender's domain, rather than the host's IP address. + This is advantageous because reputation of domain names is likely to + be more accurate than reputation of host IP addresses since domains + are likely to be more stable over a longer period. Furthermore, if a + claimed identity fails verification, local policy can take stronger + action against such email, such as rejecting it. + +1.1. Terminology + +1.1.1. Key Words + + The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", + "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and + "OPTIONAL" in this document are to be interpreted as described in + [RFC2119]. + +1.1.2. Imported Definitions + + ABNF (Augmented Backus-Naur Form) ABNF is defined in [RFC5234], as + are the tokens "ALPHA", "DIGIT", and "SP" (space). + + The tokens "Local-part", "Domain", and "Mailbox" are defined in + [RFC5321]. + + "dot-atom", "quoted-string", "comment", "CFWS" (comment folded white + space), "FWS" (folded white space), and "CRLF" (carriage-return/ + line-feed) are defined in [RFC5322]. + + + +Kitterman Standards Track [Page 5] + +RFC 7208 Sender Policy Framework (SPF) April 2014 + + +1.1.3. MAIL FROM Definition + + This document is concerned with the identity of the sender of a mail + message, as referred to in [RFC5321]: + + The transaction starts with a MAIL command that gives the sender + identification. + + Since there are many other names for this identity, it is important + to choose a name that is: + + 1. commonly used + + 2. well defined + + As such, throughout this document the term "MAIL FROM" will be used, + which is defined as the RFC5321.MailFrom (reverse-path) identity + described in [RFC5598]. + +1.1.4. HELO Definition + + This document also makes use of the HELO/EHLO identity. The "HELO" + identity derives from either the SMTP HELO or EHLO command (see + [RFC5321]). Since HELO and EHLO can, in many cases, be used + interchangeably, they are identified commonly as "HELO" in this + document. This means RFC5321.HELO/.EHLO as defined in [RFC5598]. + These commands supply the identity of the SMTP client (sending host) + for the SMTP session. + +1.2. check_host() + + Section 4 introduces an algorithm to evaluate an SPF policy against + an arriving email transaction. In an early implementation, this + algorithm was encoded in a function called check_host(). That name + is used in this document as symbolic of the SPF evaluation algorithm, + but of course implementers are not required to use this name. + +2. Operational Overview + +2.1. Publishing Authorization + + An SPF-compliant domain publishes valid SPF records as described in + Section 3. These records authorize the use of the relevant domain + names in the "HELO" and "MAIL FROM" identities by the MTAs specified + therein. + + + + + + +Kitterman Standards Track [Page 6] + +RFC 7208 Sender Policy Framework (SPF) April 2014 + + + SPF results can be used to make both positive (source is authorized) + and negative (source is not authorized) determinations. If ADMDs + choose to publish SPF records and want to support receivers making + negative authorization determinations, it is necessary for them to + publish records that end in "-all", or redirect to other records that + do; otherwise, no definitive determination of authorization can be + made. Potential issues and mitigations associated with negative + determinations are discussed in Section 10. + + ADMDs that wish to declare that no hosts are authorized to use their + DNS domain names in the HELO or MAIL FROM commands during SMTP + sessions can publish SPF records that say so for domain names that + are neither used in the domain part of email addresses nor expected + to originate mail. + + When changing SPF records, care has to be taken to ensure that there + is a transition period so that the old policy remains valid until all + legitimate email can reasonably expect to have been checked. + [RFC5321], Section 4.5.4.1 discusses how long a message might be in + transit. While offline checks are possible, the closer to the + original transmission time checks are performed, the more likely they + are to get an SPF result that matches the sending ADMD intent at the + time the message was sent. + +2.2. Checking Authorization + + A mail receiver can perform a set of SPF checks for each mail message + it receives. An SPF check tests the authorization of a client host + to emit mail with a given identity. Typically, such checks are done + by a receiving MTA, but can be performed elsewhere in the mail + processing chain so long as the required information is available and + reliable. The "MAIL FROM" and "HELO" identities are checked as + described in Sections 2.4 and 2.3, respectively. + + Without explicit approval of the publishing ADMD, checking other + identities against SPF version 1 records is NOT RECOMMENDED because + there are cases that are known to give incorrect results. For + example, almost all mailing lists rewrite the "MAIL FROM" identity + (see Section 10.3), but some do not change any other identities in + the message. Documents that define other identities will have to + define the method for explicit approval. + + It is possible that mail receivers will use the SPF check as part of + a larger set of tests on incoming mail. The results of other tests + might influence whether or not a particular SPF check is performed. + For example, finding the sending host's IP address on a local + whitelist might cause all other tests to be skipped and all mail from + that host to be accepted. + + + +Kitterman Standards Track [Page 7] + +RFC 7208 Sender Policy Framework (SPF) April 2014 + + + When a mail receiver decides to perform an SPF check, it has to use a + correctly implemented check_host() function (Section 4) evaluated + with the correct parameters. Although the test as a whole is + optional, once it has been decided to perform a test it has to be + performed as specified so that the correct semantics are preserved + between publisher and receiver. + + To make the test, the mail receiver MUST evaluate the check_host() + function with the arguments described in Section 4.1. + + Although invalid, malformed, or non-existent domains cause SPF checks + to return "none" because no SPF record can be found, it has long been + the policy of many MTAs to reject email from such domains, especially + in the case of invalid "MAIL FROM". Rejecting email will prevent one + method of circumventing of SPF records. + + Implementations have to take care to correctly extract the <domain> + from the data given with the SMTP MAIL FROM command as many MTAs will + still accept such things as source routes (see Appendix C of + [RFC5321]), the %-hack (see [RFC1123]), and bang paths (see + [RFC1983]). These archaic features have been maliciously used to + bypass security systems. + +2.3. The "HELO" Identity + + It is RECOMMENDED that SPF verifiers not only check the "MAIL FROM" + identity but also separately check the "HELO" identity by applying + the check_host() function (Section 4) to the "HELO" identity as the + <sender>. Checking "HELO" promotes consistency of results and can + reduce DNS resource usage. If a conclusive determination about the + message can be made based on a check of "HELO", then the use of DNS + resources to process the typically more complex "MAIL FROM" can be + avoided. Additionally, since SPF records published for "HELO" + identities refer to a single host, when available, they are a very + reliable source of host authorization status. Checking "HELO" before + "MAIL FROM" is the RECOMMENDED sequence if both are checked. + + Note that requirements for the domain presented in the EHLO or HELO + command are not always clear to the sending party, and SPF verifiers + have to be prepared for the identity to be an IP address literal (see + [RFC5321], Section 4.1.3) or simply be malformed. This SPF check can + only be performed when the "HELO" string is a valid, multi-label + domain name. + + + + + + + + +Kitterman Standards Track [Page 8] + +RFC 7208 Sender Policy Framework (SPF) April 2014 + + +2.4. The "MAIL FROM" Identity + + SPF verifiers MUST check the "MAIL FROM" identity if a "HELO" check + either has not been performed or has not reached a definitive policy + result by applying the check_host() function to the "MAIL FROM" + identity as the <sender>. + + [RFC5321] allows the reverse-path to be null (see Section 4.5.5 in + [RFC5321]). In this case, there is no explicit sender mailbox, and + such a message can be assumed to be a notification message from the + mail system itself. When the reverse-path is null, this document + defines the "MAIL FROM" identity to be the mailbox composed of the + local-part "postmaster" and the "HELO" identity (which might or might + not have been checked separately before). + +2.5. Location of Checks + + The authorization check SHOULD be performed during the processing of + the SMTP transaction that receives the mail. This reduces the + complexity of determining the correct IP address to use as an input + to check_host() and allows errors to be returned directly to the + sending MTA by way of SMTP replies. Appendix D of [RFC7001] provides + a more thorough discussion of this topic. + + The authorization check is performed during the SMTP transaction at + the time of the MAIL command, and uses the MAIL FROM value and the + client IP address. Performing the check at later times or with other + input can cause problems such as the following: + + o It might be difficult to accurately extract the required + information from potentially deceptive headers. + + o Legitimate email might fail the authorization check because the + sender's policy has since changed. + + Generating non-delivery notifications to forged identities that have + failed the authorization check often constitutes backscatter, i.e., + nuisance rejection notices that are not actionable. Operators are + strongly advised to avoid such practices. Section 2 of [RFC3834] + describes backscatter and the problems it causes. + +2.6. Results of Evaluation + + Section 4 defines check_host(), a model function definition that uses + the inputs defined above and the sender's policy published in the DNS + to reach a conclusion about client authorization. An SPF verifier + implements something semantically equivalent to the function defined + there. + + + +Kitterman Standards Track [Page 9] + +RFC 7208 Sender Policy Framework (SPF) April 2014 + + + This section enumerates and briefly defines the possible outputs of + that function. Note, however, that the protocol establishes no + normative requirements for handling any particular result. + Discussion of handling options for each result can be found in + Section 8. + +2.6.1. None + + A result of "none" means either (a) no syntactically valid DNS domain + name was extracted from the SMTP session that could be used as the + one to be authorized, or (b) no SPF records were retrieved from + the DNS. + +2.6.2. Neutral + + A "neutral" result means the ADMD has explicitly stated that it is + not asserting whether the IP address is authorized. + +2.6.3. Pass + + A "pass" result is an explicit statement that the client is + authorized to inject mail with the given identity. + +2.6.4. Fail + + A "fail" result is an explicit statement that the client is not + authorized to use the domain in the given identity. + +2.6.5. Softfail + + A "softfail" result is a weak statement by the publishing ADMD that + the host is probably not authorized. It has not published a + stronger, more definitive policy that results in a "fail". + +2.6.6. Temperror + + A "temperror" result means the SPF verifier encountered a transient + (generally DNS) error while performing the check. A later retry may + succeed without further DNS operator action. + +2.6.7. Permerror + + A "permerror" result means the domain's published records could not + be correctly interpreted. This signals an error condition that + definitely requires DNS operator intervention to be resolved. + + + + + + +Kitterman Standards Track [Page 10] + +RFC 7208 Sender Policy Framework (SPF) April 2014 + + +3. SPF Records + + An SPF record is a DNS record that declares which hosts are, and are + not, authorized to use a domain name for the "HELO" and "MAIL FROM" + identities. Loosely, the record partitions hosts into permitted and + not-permitted sets (though some hosts might fall into neither + category). + + The SPF record is expressed as a single string of text found in the + RDATA of a single DNS TXT resource record; multiple SPF records are + not permitted for the same owner name. The record format and the + process for selecting records are described below in Section 4. An + example record is the following: + + v=spf1 +mx a:colo.example.com/28 -all + + This record has a version of "spf1" and three directives: "+mx", + "a:colo.example.com/28" (the "+" is implied), and "-all". + + Each SPF record is placed in the DNS tree at the owner name it + pertains to, not in a subdomain under the owner name. This is + similar to how SRV records [RFC2782] are done. + + The example in this section might be published via these lines in a + domain zone file: + + example.com. TXT "v=spf1 +mx a:colo.example.com/28 -all" + + Since TXT records have multiple uses, beware of other TXT records + published there for other purposes. They might cause problems with + size limits (see Section 3.4), and care has to be taken to ensure + that only SPF records are used for SPF processing. + + ADMDs publishing SPF records ought to keep the amount of DNS + information needed to evaluate a record to a minimum. Sections 4.6.4 + and 10.1.1 provide some suggestions about "include" mechanisms and + chained "redirect" modifiers. + +3.1. DNS Resource Records + + SPF records MUST be published as a DNS TXT (type 16) Resource Record + (RR) [RFC1035] only. The character content of the record is encoded + as [US-ASCII]. Use of alternative DNS RR types was supported in + SPF's experimental phase but has been discontinued. + + In 2003, when SPF was first being developed, the requirements for + assignment of a new DNS RR type were considerably more stringent than + they are now. Additionally, support for easy deployment of new DNS + + + +Kitterman Standards Track [Page 11] + +RFC 7208 Sender Policy Framework (SPF) April 2014 + + + RR types was not widely deployed in DNS servers and provisioning + systems. As a result, developers of SPF found it easier and more + practical to use the TXT RR type for SPF records. + + In its review of [RFC4408], the SPFbis working group concluded that + its dual RR type transition model was fundamentally flawed since it + contained no common RR type that implementers were required to serve + and required to check. Many alternatives were considered to resolve + this issue, but ultimately the working group concluded that + significant migration to the SPF RR type in the foreseeable future + was very unlikely and that the best solution for resolving this + interoperability issue was to drop support for the SPF RR type from + SPF version 1. See Appendix A of [RFC6686] for further information. + + The circumstances surrounding SPF's initial deployment a decade ago + are unique. If a future update to SPF were developed that did not + reuse existing SPF records, it could use the SPF RR type. SPF's use + of the TXT RR type for structured data should in no way be taken as + precedent for future protocol designers. Further discussion of + design considerations when using new DNS RR types can be found in + [RFC5507]. + +3.2. Multiple DNS Records + + A domain name MUST NOT have multiple records that would cause an + authorization check to select more than one record. See Section 4.5 + for the selection rules. + +3.3. Multiple Strings in a Single DNS Record + + As defined in [RFC1035], Sections 3.3 and 3.3.14, a single text DNS + record can be composed of more than one string. If a published + record contains multiple character-strings, then the record MUST be + treated as if those strings are concatenated together without adding + spaces. For example: + + IN TXT "v=spf1 .... first" "second string..." + + is equivalent to: + + IN TXT "v=spf1 .... firstsecond string..." + + TXT records containing multiple strings are useful in constructing + records that would exceed the 255-octet maximum length of a + character-string within a single TXT record. + + + + + + +Kitterman Standards Track [Page 12] + +RFC 7208 Sender Policy Framework (SPF) April 2014 + + +3.4. Record Size + + The published SPF record for a given domain name SHOULD remain small + enough that the results of a query for it will fit within 512 octets. + Otherwise, there is a possibility of exceeding a DNS protocol limit. + This UDP limit is defined in [RFC1035], Section 2.3.4, although it + was raised by [RFC2671]. Staying below 512 octets ought to prevent + older DNS implementations from failing over to TCP and will work with + UDP in the absence of EDNS0 [RFC6891] support. Since the answer size + is dependent on many things outside the scope of this document, it is + only possible to give this guideline: If the size of the DNS message, + the combined length of the DNS name and the text of all the records + of a given type is under 450 octets, then DNS answers ought to fit in + UDP packets. Records that are too long to fit in a single UDP packet + could be silently ignored by SPF verifiers due to firewall and other + issues that interfere with the operation of DNS over TCP or using + ENDS0. + + Note that when computing the sizes for replies to queries of the TXT + format, one has to take into account any other TXT records published + at the domain name. Similarly, the sizes for replies to all queries + related to SPF have to be evaluated to fit in a single 512-octet UDP + packet (i.e., DNS message size limited to 450 octets). + +3.5. Wildcard Records + + Use of wildcard records for publishing is discouraged, and care has + to be taken if they are used. If a zone includes wildcard MX + records, it might want to publish wildcard declarations, subject to + the same requirements and problems. In particular, the declaration + MUST be repeated for any host that has any RR records at all, and for + subdomains thereof. Consider the example in [RFC1034], + Section 4.3.3. Based on that, we can do the following: + + EXAMPLE.COM. MX 10 A.EXAMPLE.COM + EXAMPLE.COM. TXT "v=spf1 a:A.EXAMPLE.COM -all" + + *.EXAMPLE.COM. MX 10 A.EXAMPLE.COM + *.EXAMPLE.COM. TXT "v=spf1 a:A.EXAMPLE.COM -all" + + A.EXAMPLE.COM. A 203.0.113.1 + A.EXAMPLE.COM. MX 10 A.EXAMPLE.COM + A.EXAMPLE.COM. TXT "v=spf1 a:A.EXAMPLE.COM -all" + + *.A.EXAMPLE.COM. MX 10 A.EXAMPLE.COM + *.A.EXAMPLE.COM. TXT "v=spf1 a:A.EXAMPLE.COM -all" + + + + + +Kitterman Standards Track [Page 13] + +RFC 7208 Sender Policy Framework (SPF) April 2014 + + + SPF records have to be listed twice for every name within the zone: + once for the name, and once with a wildcard to cover the tree under + the name, in order to cover all domains in use in outgoing mail. + +4. The check_host() Function + + This description is not an application programming interface + definition, but rather a function description used to illustrate the + algorithm. A compliant SPF implementation MUST produce results + semantically equivalent to this description. + + The check_host() function fetches SPF records, parses them, and + evaluates them to determine whether a particular host is or is not + permitted to send mail with a given identity. Receiving ADMDs that + perform this check MUST correctly evaluate the check_host() function + as described here. + + Implementations MAY use a different algorithm than the canonical + algorithm defined here, so long as the results are the same in all + cases. + +4.1. Arguments + + The check_host() function takes these arguments: + + <ip> - the IP address of the SMTP client that is emitting + the mail, either IPv4 or IPv6. + + <domain> - the domain that provides the sought-after authorization + information; initially, the domain portion of the + "MAIL FROM" or "HELO" identity. + + <sender> - the "MAIL FROM" or "HELO" identity. + + For recursive evaluations, the domain portion of <sender> might not + be the same as the <domain> argument when check_host() is initially + evaluated. In most other cases it will be the same (see Section 5.2 + below). The overall DNS lookup limit for SPF terms described below + in Section 4.6.4 must be tracked as a single global limit for all + evaluations, not just for a single instance of a recursive + evaluation. + + Note that the <domain> argument might not be a well-formed domain + name. For example, if the reverse-path was null, then the EHLO/HELO + domain is used, with its associated problems (see Section 2.3). In + these cases, check_host() is defined in Section 4.3 to return a + "none" result. + + + + +Kitterman Standards Track [Page 14] + +RFC 7208 Sender Policy Framework (SPF) April 2014 + + +4.2. Results + + The check_host() function can return one of several results described + in Section 2.6. Based on the result, the action to be taken is + determined by the local policies of the receiver. This is discussed + in Section 8. + +4.3. Initial Processing + + If the <domain> is malformed (e.g., label longer than 63 characters, + zero-length label not at the end, etc.) or is not a multi-label + domain name, or if the DNS lookup returns "Name Error" (RCODE 3, also + known as "NXDOMAIN" [RFC2308]), check_host() immediately returns the + result "none". DNS RCODEs are defined in [RFC1035]. Properly formed + domains are fully qualified domains as defined in [RFC1983]. That + is, in the DNS they are implicitly qualified relative to the root + (see Section 3.1 of [RFC1034]). Internationalized domain names MUST + be encoded as A-labels, as described in Section 2.3 of [RFC5890]. + + If the <sender> has no local-part, substitute the string "postmaster" + for the local-part. + +4.4. Record Lookup + + In accordance with how the records are published (see Section 3 + above), a DNS query needs to be made for the <domain> name, querying + for type TXT only. + + If the DNS lookup returns a server failure (RCODE 2) or some other + error (RCODE other than 0 or 3), or if the lookup times out, then + check_host() terminates immediately with the result "temperror". + +4.5. Selecting Records + + Records begin with a version section: + + record = version terms *SP + version = "v=spf1" + + Starting with the set of records that were returned by the lookup, + discard records that do not begin with a version section of exactly + "v=spf1". Note that the version section is terminated by either an + SP character or the end of the record. As an example, a record with + a version section of "v=spf10" does not match and is discarded. + + If the resultant record set includes no records, check_host() + produces the "none" result. If the resultant record set includes + more than one record, check_host() produces the "permerror" result. + + + +Kitterman Standards Track [Page 15] + +RFC 7208 Sender Policy Framework (SPF) April 2014 + + +4.6. Record Evaluation + + The check_host() function parses and interprets the SPF record to + find a result for the current test. The syntax of the record is + validated first, and if there are any syntax errors anywhere in the + record, check_host() returns immediately with the result "permerror", + without further interpretation or evaluation. + +4.6.1. Term Evaluation + + There are two types of terms: mechanisms (defined in Section 5) and + modifiers (defined in Section 6). A record contains an ordered list + of these as specified in the following Augmented Backus-Naur Form + (ABNF). + + terms = *( 1*SP ( directive / modifier ) ) + + directive = [ qualifier ] mechanism + qualifier = "+" / "-" / "?" / "~" + mechanism = ( all / include + / a / mx / ptr / ip4 / ip6 / exists ) + modifier = redirect / explanation / unknown-modifier + unknown-modifier = name "=" macro-string + ; where name is not any known modifier + + name = ALPHA *( ALPHA / DIGIT / "-" / "_" / "." ) + + Most mechanisms allow a ":" or "/" character after the name. + + Modifiers always contain an equals ('=') character immediately after + the name, and before any ":" or "/" characters that might be part of + the macro-string. + + Terms that do not contain any of "=", ":", or "/" are mechanisms, as + defined in Section 5. + + As per the definition of the ABNF notation in [RFC5234], mechanism + and modifier names are case-insensitive. + +4.6.2. Mechanisms + + Each mechanism is considered in turn from left to right. If there + are no more mechanisms, the result is the default result as described + in Section 4.7. + + When a mechanism is evaluated, one of three things can happen: it can + match, not match, or return an exception. + + + + +Kitterman Standards Track [Page 16] + +RFC 7208 Sender Policy Framework (SPF) April 2014 + + + If it matches, processing ends and the qualifier value is returned as + the result of that record. If it does not match, processing + continues with the next mechanism. If it returns an exception, + mechanism processing ends and the exception value is returned. + + The possible qualifiers, and the results they cause check_host() to + return, are as follows: + + "+" pass + "-" fail + "~" softfail + "?" neutral + + The qualifier is optional and defaults to "+". + + When a mechanism matches and the qualifier is "-", then a "fail" + result is returned and the explanation string is computed as + described in Section 6.2. + + The specific mechanisms are described in Section 5. + +4.6.3. Modifiers + + Modifiers are not mechanisms. They do not return match or not-match. + Instead, they provide additional information. Although modifiers do + not directly affect the evaluation of the record, the "redirect" + modifier has an effect after all the mechanisms have been evaluated. + +4.6.4. DNS Lookup Limits + + Some mechanisms and modifiers (collectively, "terms") cause DNS + queries at the time of evaluation, and some do not. The following + terms cause DNS queries: the "include", "a", "mx", "ptr", and + "exists" mechanisms, and the "redirect" modifier. SPF + implementations MUST limit the total number of those terms to 10 + during SPF evaluation, to avoid unreasonable load on the DNS. If + this limit is exceeded, the implementation MUST return "permerror". + The other terms -- the "all", "ip4", and "ip6" mechanisms, and the + "exp" modifier -- do not cause DNS queries at the time of SPF + evaluation (the "exp" modifier only causes a lookup at a later time), + and their use is not subject to this limit. + + When evaluating the "mx" mechanism, the number of "MX" resource + records queried is included in the overall limit of 10 mechanisms/ + modifiers that cause DNS lookups as described above. In addition to + that limit, the evaluation of each "MX" record MUST NOT result in + + + + + +Kitterman Standards Track [Page 17] + +RFC 7208 Sender Policy Framework (SPF) April 2014 + + + querying more than 10 address records -- either "A" or "AAAA" + resource records. If this limit is exceeded, the "mx" mechanism MUST + produce a "permerror" result. + + When evaluating the "ptr" mechanism or the %{p} macro, the number of + "PTR" resource records queried is included in the overall limit of 10 + mechanisms/modifiers that cause DNS lookups as described above. In + addition to that limit, the evaluation of each "PTR" record MUST NOT + result in querying more than 10 address records -- either "A" or + "AAAA" resource records. If this limit is exceeded, all records + other than the first 10 MUST be ignored. + + The reason for the disparity is that the set of and contents of the + MX record are under control of the publishing ADMD, while the set of + and contents of PTR records are under control of the owner of the IP + address actually making the connection. + + These limits are per mechanism or macro in the record, and are in + addition to the lookup limits specified above. + + MTAs or other processors SHOULD impose a limit on the maximum amount + of elapsed time to evaluate check_host(). Such a limit SHOULD allow + at least 20 seconds. If such a limit is exceeded, the result of + authorization SHOULD be "temperror". + + As described at the end of Section 11.1, there may be cases where it + is useful to limit the number of "terms" for which DNS queries return + either a positive answer (RCODE 0) with an answer count of 0, or a + "Name Error" (RCODE 3) answer. These are sometimes collectively + referred to as "void lookups". SPF implementations SHOULD limit + "void lookups" to two. An implementation MAY choose to make such a + limit configurable. In this case, a default of two is RECOMMENDED. + Exceeding the limit produces a "permerror" result. + +4.7. Default Result + + If none of the mechanisms match and there is no "redirect" modifier, + then the check_host() returns a result of "neutral", just as if + "?all" were specified as the last directive. If there is a + "redirect" modifier, check_host() proceeds as defined in Section 6.1. + + It is better to use either a "redirect" modifier or an "all" + mechanism to explicitly terminate processing. Although there is an + implicit "?all" at the end of every record that is not explicitly + terminated, it aids debugging efforts when it is explicitly provided. + + + + + + +Kitterman Standards Track [Page 18] + +RFC 7208 Sender Policy Framework (SPF) April 2014 + + + For example: + + v=spf1 +mx -all + + or + + v=spf1 +mx redirect=_spf.example.com + +4.8. Domain Specification + + Several of these mechanisms and modifiers have a <domain-spec> + section. The <domain-spec> string is subject to macro expansion (see + Section 7). The resulting string is the common presentation form of + a fully qualified DNS name: a series of labels separated by periods. + This domain is called the <target-name> in the rest of this document. + + Note: The result of the macro expansion is not subject to any further + escaping. Hence, this facility cannot produce all characters that + are legal in a DNS label (e.g., the control characters). However, + this facility is powerful enough to express legal host names and + common utility labels (such as "_spf") that are used in DNS. + + For several mechanisms, the <domain-spec> is optional. If it is not + provided, the <domain> from the check_host() arguments (see + Section 4.1) is used as the <target-name>. "domain" and + <domain-spec> are syntactically identical after macro expansion. + "domain" is an input value for check_host(), while <domain-spec> is + computed by check_host(). + + The result of evaluating check_host() with a syntactically invalid + domain is undefined. + + Note: This document and its predecessors make no provisions for + defining correct handling of a syntactically invalid <domain-spec> + (which might be the result of macro expansion), per [RFC1035]. + Examples include names with empty labels, such as "foo..example.com", + and labels that are longer than 63 characters. Some implementations + choose to treat such errors as not-match and therefore ignore such + names, while others return a "permerror" exception. + + + + + + + + + + + + +Kitterman Standards Track [Page 19] + +RFC 7208 Sender Policy Framework (SPF) April 2014 + + +5. Mechanism Definitions + + This section defines two types of mechanisms: basic language + framework mechanisms and designated sender mechanisms. + + Basic mechanisms contribute to the language framework. They do not + specify a particular type of authorization scheme. The basic + mechanisms are as follows: + + all + include + + Designated sender mechanisms are used to identify a set of <ip> + addresses as being permitted or not permitted to use the <domain> for + sending mail. The designated sender mechanisms are as follows: + + a + mx + ptr (do not use) + ip4 + ip6 + exists + + The following conventions apply to all mechanisms that perform a + comparison between <ip> and an IP address at any point: + + If no CIDR prefix length is given in the directive, then <ip> and the + IP address are compared for equality. (Here, CIDR is Classless + Inter-Domain Routing, described in [RFC4632].) + + If a CIDR prefix length is specified, then only the specified number + of high-order bits of <ip> and the IP address are compared for + equality. + + When any mechanism fetches host addresses to compare with <ip>, when + <ip> is an IPv4, "A" records are fetched; when <ip> is an IPv6 + address, "AAAA" records are fetched. SPF implementations on IPv6 + servers need to handle both "AAAA" and "A" records, for clients on + IPv4-mapped IPv6 addresses [RFC4291]. IPv4 <ip> addresses are only + listed in an SPF record using the "ip4" mechanism. + + Several mechanisms rely on information fetched from the DNS. For + these DNS queries, except where noted, if the DNS server returns an + error (RCODE other than 0 or 3) or the query times out, the mechanism + stops and the topmost check_host() returns "temperror". If the + server returns "Name Error" (RCODE 3), then evaluation of the + mechanism continues as if the server returned no error (RCODE 0) and + zero answer records. + + + +Kitterman Standards Track [Page 20] + +RFC 7208 Sender Policy Framework (SPF) April 2014 + + +5.1. "all" + + all = "all" + + The "all" mechanism is a test that always matches. It is used as the + rightmost mechanism in a record to provide an explicit default. + + For example: + + v=spf1 a mx -all + + Mechanisms after "all" will never be tested. Mechanisms listed after + "all" MUST be ignored. Any "redirect" modifier (Section 6.1) MUST be + ignored when there is an "all" mechanism in the record, regardless of + the relative ordering of the terms. + +5.2. "include" + + include = "include" ":" domain-spec + + The "include" mechanism triggers a recursive evaluation of + check_host(). + + 1. The <domain-spec> is expanded as per Section 7. + + 2. check_host() is evaluated with the resulting string as the + <domain>. The <ip> and <sender> arguments remain the same as in + the current evaluation of check_host(). + + 3. The recursive evaluation returns match, not-match, or an error. + + 4. If it returns match, then the appropriate result for the + "include" mechanism is used (e.g., include or +include produces a + "pass" result and -include produces "fail"). + + 5. If it returns not-match or an error, the parent check_host() + resumes processing as per the table below, with the previous + value of <domain> restored. + + In hindsight, the name "include" was poorly chosen. Only the + evaluated result of the referenced SPF record is used, rather than + literally including the mechanisms of the referenced record in the + first. For example, evaluating a "-all" directive in the referenced + record does not terminate the overall processing and does not + necessarily result in an overall "fail". (Better names for this + mechanism would have been "if-match", "on-match", etc.) + + + + + +Kitterman Standards Track [Page 21] + +RFC 7208 Sender Policy Framework (SPF) April 2014 + + + The "include" mechanism makes it possible for one domain to designate + multiple administratively independent domains. For example, a vanity + domain "example.net" might send mail using the servers of + administratively independent domains example.com and example.org. + + Example.net could say + + IN TXT "v=spf1 include:example.com include:example.org -all" + + This would direct check_host() to, in effect, check the records of + example.com and example.org for a "pass" result. Only if the host + were not permitted for either of those domains would the result be + "fail". + + Whether this mechanism matches, does not match, or returns an + exception depends on the result of the recursive evaluation of + check_host(): + + +---------------------------------+---------------------------------+ + | A recursive check_host() result | Causes the "include" mechanism | + | of: | to: | + +---------------------------------+---------------------------------+ + | pass | match | + | | | + | fail | not match | + | | | + | softfail | not match | + | | | + | neutral | not match | + | | | + | temperror | return temperror | + | | | + | permerror | return permerror | + | | | + | none | return permerror | + +---------------------------------+---------------------------------+ + + The "include" mechanism is intended for crossing administrative + boundaries. When remaining within one administrative authority, + "include" is usually not the best choice. For example, if + example.com and example.org were managed by the same entity, and if + the permitted set of hosts for both domains was "mx:example.com", it + would be possible for example.org to specify "include:example.com", + but it would be preferable to specify "redirect=example.com" or even + "mx:example.com". + + + + + + +Kitterman Standards Track [Page 22] + +RFC 7208 Sender Policy Framework (SPF) April 2014 + + + With the "include" mechanism, an administratively external set of + hosts can be authorized, but determination of sender policy is still + a function of the original domain's SPF record (as determined by the + "all" mechanism in that record). The "redirect" modifier is more + suitable for consolidating both authorizations and policy into a + common set to be shared within an ADMD. Redirect is much more like a + common code element to be shared among records in a single ADMD. It + is possible to control both authorized hosts and policy for an + arbitrary number of domains from a single record. + +5.3. "a" + + This mechanism matches if <ip> is one of the <target-name>'s IP + addresses. For clarity, this means the "a" mechanism also matches + AAAA records. + + a = "a" [ ":" domain-spec ] [ dual-cidr-length ] + + An address lookup is done on the <target-name> using the type of + lookup (A or AAAA) appropriate for the connection type (IPv4 or + IPv6). The <ip> is compared to the returned address(es). If any + address matches, the mechanism matches. + +5.4. "mx" + + This mechanism matches if <ip> is one of the MX hosts for a domain + name. + + mx = "mx" [ ":" domain-spec ] [ dual-cidr-length ] + + check_host() first performs an MX lookup on the <target-name>. Then + it performs an address lookup on each MX name returned. The <ip> is + compared to each returned IP address. To prevent denial-of-service + (DoS) attacks, the processing limits defined in Section 4.6.4 MUST be + followed. If the MX lookup limit is exceeded, then "permerror" is + returned and the evaluation is terminated. If any address matches, + the mechanism matches. + + Note regarding implicit MXes: If the <target-name> has no MX record, + check_host() MUST NOT apply the implicit MX rules of [RFC5321] by + querying for an A or AAAA record for the same name. + +5.5. "ptr" (do not use) + + This mechanism tests whether the DNS reverse-mapping for <ip> exists + and correctly points to a domain name within a particular domain. + This mechanism SHOULD NOT be published. See the note at the end of + this section for more information. + + + +Kitterman Standards Track [Page 23] + +RFC 7208 Sender Policy Framework (SPF) April 2014 + + + ptr = "ptr" [ ":" domain-spec ] + + The <ip>'s name is looked up using this procedure: + + o Perform a DNS reverse-mapping for <ip>: Look up the corresponding + PTR record in "in-addr.arpa." if the address is an IPv4 address + and in "ip6.arpa." if it is an IPv6 address. + + o For each record returned, validate the domain name by looking up + its IP addresses. To prevent DoS attacks, the PTR processing + limits defined in Section 4.6.4 MUST be applied. If they are + exceeded, processing is terminated and the mechanism does not + match. + + o If <ip> is among the returned IP addresses, then that domain name + is validated. + + Check all validated domain names to see if they either match the + <target-name> domain or are a subdomain of the <target-name> domain. + If any do, this mechanism matches. If no validated domain name can + be found, or if none of the validated domain names match or are a + subdomain of the <target-name>, this mechanism fails to match. If a + DNS error occurs while doing the PTR RR lookup, then this mechanism + fails to match. If a DNS error occurs while doing an A RR lookup, + then that domain name is skipped and the search continues. + + This mechanism matches if + + o the <target-name> is a subdomain of a validated domain name, or + + o the <target-name> and a validated domain name are the same. + + For example, "mail.example.com" is within the domain "example.com", + but "mail.bad-example.com" is not. + + Note: This mechanism is slow, it is not as reliable as other + mechanisms in cases of DNS errors, and it places a large burden on + the .arpa name servers. If used, proper PTR records have to be in + place for the domain's hosts and the "ptr" mechanism SHOULD be one of + the last mechanisms checked. After many years of SPF deployment + experience, it has been concluded that it is unnecessary and more + reliable alternatives should be used instead. It is, however, still + in use as part of the SPF protocol, so compliant check_host() + implementations MUST support it. + + + + + + + +Kitterman Standards Track [Page 24] + +RFC 7208 Sender Policy Framework (SPF) April 2014 + + +5.6. "ip4" and "ip6" + + These mechanisms test whether <ip> is contained within a given + IP network. + + ip4 = "ip4" ":" ip4-network [ ip4-cidr-length ] + ip6 = "ip6" ":" ip6-network [ ip6-cidr-length ] + + ip4-cidr-length = "/" ("0" / %x31-39 0*1DIGIT) ; value range 0-32 + ip6-cidr-length = "/" ("0" / %x31-39 0*2DIGIT) ; value range 0-128 + dual-cidr-length = [ ip4-cidr-length ] [ "/" ip6-cidr-length ] + + ip4-network = qnum "." qnum "." qnum "." qnum + qnum = DIGIT ; 0-9 + / %x31-39 DIGIT ; 10-99 + / "1" 2DIGIT ; 100-199 + / "2" %x30-34 DIGIT ; 200-249 + / "25" %x30-35 ; 250-255 + ; as per conventional dotted-quad notation, e.g., 192.0.2.0 + + ip6-network = <as per Section 2.2 of [RFC4291]> + ; e.g., 2001:db8::cd30 + + The <ip> is compared to the given network. If CIDR prefix length + high-order bits match, the mechanism matches. + + If ip4-cidr-length is omitted, it is taken to be "/32". If + ip6-cidr-length is omitted, it is taken to be "/128". It is not + permitted to omit parts of the IP address instead of using CIDR + notations. That is, use 192.0.2.0/24 instead of 192.0.2. + +5.7. "exists" + + This mechanism is used to construct an arbitrary domain name that is + used for a DNS A record query. It allows for complicated schemes + involving arbitrary parts of the mail envelope to determine what is + permitted. + + exists = "exists" ":" domain-spec + + The <domain-spec> is expanded as per Section 7. The resulting domain + name is used for a DNS A RR lookup (even when the connection type is + IPv6). If any A record is returned, this mechanism matches. + + Domains can use this mechanism to specify arbitrarily complex + queries. For example, suppose example.com publishes the record: + + v=spf1 exists:%{ir}.%{l1r+-}._spf.%{d} -all + + + +Kitterman Standards Track [Page 25] + +RFC 7208 Sender Policy Framework (SPF) April 2014 + + + The <target-name> might expand to + "1.2.0.192.someuser._spf.example.com". This makes fine-grained + decisions possible at the level of the user and client IP address. + +6. Modifier Definitions + + Modifiers are name/value pairs that provide additional information. + Modifiers always have an "=" separating the name and the value. + + The modifiers defined in this document ("redirect" and "exp") SHOULD + appear at the end of the record, after all mechanisms, though + syntactically they can appear anywhere in the record. Ordering of + these two modifiers does not matter. These two modifiers MUST NOT + appear in a record more than once each. If they do, then + check_host() exits with a result of "permerror". + + Unrecognized modifiers MUST be ignored no matter where, or how often, + they appear in a record. This allows implementations conforming to + this document to gracefully handle records with modifiers that are + defined in other specifications. + +6.1. redirect: Redirected Query + + The "redirect" modifier is intended for consolidating both + authorizations and policy into a common set to be shared within a + single ADMD. It is possible to control both authorized hosts and + policy for an arbitrary number of domains from a single record. + + redirect = "redirect" "=" domain-spec + + If all mechanisms fail to match, and a "redirect" modifier is + present, then processing proceeds as follows: + + The <domain-spec> portion of the redirect section is expanded as per + the macro rules in Section 7. Then check_host() is evaluated with + the resulting string as the <domain>. The <ip> and <sender> + arguments remain the same as in the current evaluation of + check_host(). + + The result of this new evaluation of check_host() is then considered + the result of the current evaluation with the exception that if no + SPF record is found, or if the <target-name> is malformed, the result + is a "permerror" rather than "none". + + Note that the newly queried domain can itself specify redirect + processing. + + + + + +Kitterman Standards Track [Page 26] + +RFC 7208 Sender Policy Framework (SPF) April 2014 + + + This facility is intended for use by organizations that wish to apply + the same record to multiple domains. For example: + + la.example.com. TXT "v=spf1 redirect=_spf.example.com" + ny.example.com. TXT "v=spf1 redirect=_spf.example.com" + sf.example.com. TXT "v=spf1 redirect=_spf.example.com" + _spf.example.com. TXT "v=spf1 mx:example.com -all" + + In this example, mail from any of the three domains is described by + the same record. This can be an administrative advantage. + + Note: In general, the domain "A" cannot reliably use a redirect to + another domain "B" not under the same administrative control. Since + the <sender> stays the same, there is no guarantee that the record at + domain "B" will correctly work for mailboxes in domain "A", + especially if domain "B" uses mechanisms involving local-parts. An + "include" directive will generally be more appropriate. + + For clarity, any "redirect" modifier SHOULD appear as the very last + term in a record. Any "redirect" modifier MUST be ignored if there + is an "all" mechanism anywhere in the record. + +6.2. exp: Explanation + + explanation = "exp" "=" domain-spec + + If check_host() results in a "fail" due to a mechanism match (such as + "-all"), and the "exp" modifier is present, then the explanation + string returned is computed as described below. If no "exp" modifier + is present, then either a default explanation string or an empty + explanation string MUST be returned to the calling application. + + The <domain-spec> is macro expanded (see Section 7) and becomes the + <target-name>. The DNS TXT RRset for the <target-name> is fetched. + + If there are any DNS processing errors (any RCODE other than 0), or + if no records are returned, or if more than one record is returned, + or if there are syntax errors in the explanation string, then proceed + as if no "exp" modifier was given. + + The fetched TXT record's strings are concatenated with no spaces, and + then treated as an explain-string, which is macro-expanded. This + final result is the explanation string. Implementations MAY limit + the length of the resulting explanation string to allow for other + protocol constraints and/or reasonable processing limits. Since the + explanation string is intended for an SMTP response and Section 2.4 + of [RFC5321] says that responses are in [US-ASCII], the explanation + string MUST be limited to [US-ASCII]. + + + +Kitterman Standards Track [Page 27] + +RFC 7208 Sender Policy Framework (SPF) April 2014 + + + Software evaluating check_host() can use this string to communicate + information from the publishing domain in the form of a short message + or URL. Software SHOULD make it clear that the explanation string + comes from a third party. For example, it can prepend the macro + string "%{o} explains: " to the explanation, as shown in the example + in Section 8.4. + + Suppose example.com has this record: + + v=spf1 mx -all exp=explain._spf.%{d} + + Here are some examples of possible explanation TXT records at + explain._spf.example.com: + + "Mail from example.com should only be sent by its own servers." + + -- a simple, constant message + + "%{i} is not one of %{d}'s designated mail servers." + + -- a message with a little more information, including the + IP address that failed the check + + "See http://%{d}/why.html?s=%{S}&i=%{I}" + + -- a complicated example that constructs a URL with the + arguments to check_host() so that a web page can be + generated with detailed, custom instructions + + Note: During recursion into an "include" mechanism, an "exp" modifier + from the <target-name> MUST NOT be used. In contrast, when executing + a "redirect" modifier, an "exp" modifier from the original domain + MUST NOT be used. This is because "include" is meant to cross + administrative boundaries and the explanation provided should be the + one from the receiving ADMD, while "redirect" is meant to operate as + a tool to consolidate policy records within an ADMD so the redirected + explanation is the one that ought to have priority. + +7. Macros + + When evaluating an SPF policy record, certain character sequences are + intended to be replaced by parameters of the message or of the + connection. These character sequences are referred to as "macros". + + + + + + + + +Kitterman Standards Track [Page 28] + +RFC 7208 Sender Policy Framework (SPF) April 2014 + + +7.1. Formal Specification + + The ABNF description for a macro is as follows: + + domain-spec = macro-string domain-end + domain-end = ( "." toplabel [ "." ] ) / macro-expand + + toplabel = ( *alphanum ALPHA *alphanum ) / + ( 1*alphanum "-" *( alphanum / "-" ) alphanum ) + alphanum = ALPHA / DIGIT + + explain-string = *( macro-string / SP ) + + macro-string = *( macro-expand / macro-literal ) + macro-expand = ( "%{" macro-letter transformers *delimiter "}" ) + / "%%" / "%_" / "%-" + macro-literal = %x21-24 / %x26-7E + ; visible characters except "%" + macro-letter = "s" / "l" / "o" / "d" / "i" / "p" / "h" / + "c" / "r" / "t" / "v" + transformers = *DIGIT [ "r" ] + delimiter = "." / "-" / "+" / "," / "/" / "_" / "=" + + The "toplabel" construction is subject to the letter-digit-hyphen + (LDH) rule plus additional top-level domain (TLD) restrictions. See + Section 2 of [RFC3696] for background. + + Some special cases: + + o A literal "%" is expressed by "%%". + + o "%_" expands to a single " " space. + + o "%-" expands to a URL-encoded space, viz., "%20". + +7.2. Macro Definitions + + The following macro letters are expanded in term arguments: + + s = <sender> + l = local-part of <sender> + o = domain of <sender> + d = <domain> + i = <ip> + p = the validated domain name of <ip> (do not use) + v = the string "in-addr" if <ip> is ipv4, or "ip6" if <ip> is ipv6 + h = HELO/EHLO domain + + + + +Kitterman Standards Track [Page 29] + +RFC 7208 Sender Policy Framework (SPF) April 2014 + + + <domain>, <sender>, and <ip> are defined in Section 4.1. + + The following macro letters are allowed only in "exp" text: + + c = SMTP client IP (easily readable format) + r = domain name of host performing the check + t = current timestamp + +7.3. Macro Processing Details + + A '%' character not followed by a '{', '%', '-', or '_' character is + a syntax error. So: + + -exists:%(ir).sbl.example.org + + is incorrect and will cause check_host() to yield a "permerror". + Instead, the following is legal: + + -exists:%{ir}.sbl.example.org + + Optional transformers are the following: + + *DIGIT = zero or more digits + + 'r' = reverse value, splitting on dots by default + + If transformers or delimiters are provided, the replacement value for + a macro letter is split into parts separated by one or more of the + specified delimiter characters. After performing any reversal + operation and/or removal of left-hand parts, the parts are rejoined + using "." and not the original splitting characters. + + By default, strings are split on "." (dots). Note that no special + treatment is given to leading, trailing, or consecutive delimiters in + input strings, and so the list of parts might contain empty strings. + Some older implementations of SPF prohibit trailing dots in domain + names, so trailing dots SHOULD NOT be published, although they MUST + be accepted by implementations conforming to this document. Macros + can specify delimiter characters that are used instead of ".". + + The "r" transformer indicates a reversal operation: if the client IP + address were 192.0.2.1, the macro %{i} would expand to "192.0.2.1" + and the macro %{ir} would expand to "1.2.0.192". + + The DIGIT transformer indicates the number of right-hand parts to + use, after optional reversal. If a DIGIT is specified, the value + MUST be nonzero. If no DIGITs are specified, or if the value + specifies more parts than are available, all the available parts are + + + +Kitterman Standards Track [Page 30] + +RFC 7208 Sender Policy Framework (SPF) April 2014 + + + used. If the DIGIT was 5, and only 3 parts were available, the macro + interpreter would pretend the DIGIT was 3. Implementations MUST + support at least a value of 127, as that is the maximum number of + labels in a domain name (less the zero-length label at the end). + + The "s" macro expands to the <sender> argument. It is an email + address with a local-part, an "@" character, and a domain. The "l" + macro expands to just the local-part. The "o" macro expands to just + the domain part. Note that these values remain the same during + recursive and chained evaluations due to "include" and/or "redirect". + Note also that if the original <sender> had no local-part, the + local-part was set to "postmaster" in initial processing (see + Section 4.3). + + For IPv4 addresses, both the "i" and "c" macros expand to the + standard dotted-quad format. + + For IPv6 addresses, the "i" macro expands to a dot-format address; it + is intended for use in %{ir}. The "c" macro can expand to any of the + hexadecimal colon-format addresses specified in Section 2.2 of + [RFC4291]. It is intended for humans to read. + + The "p" macro expands to the validated domain name of <ip>. The + procedure for finding the validated domain name is defined in + Section 5.5. If the <domain> is present in the list of validated + domains, it SHOULD be used. Otherwise, if a subdomain of the + <domain> is present, it SHOULD be used. Otherwise, any name from the + list can be used. If there are no validated domain names or if a DNS + error occurs, the string "unknown" is used. + + This macro SHOULD NOT be published (see Section 5.5 for the + discussion). + + The "h" macro expands to the parameter that was provided to the SMTP + server via the HELO or EHLO SMTP verb. For sessions where that verb + was provided more than once, the most recent instance is used. + + The "r" macro expands to the name of the receiving MTA. This SHOULD + be a fully qualified domain name, but if one does not exist (as when + the checking is done by a Mail User Agent (MUA)) or if policy + restrictions dictate otherwise, the word "unknown" SHOULD be + substituted. The domain name can be different from the name found in + the MX record that the client MTA used to locate the receiving MTA. + + + + + + + + +Kitterman Standards Track [Page 31] + +RFC 7208 Sender Policy Framework (SPF) April 2014 + + + The "t" macro expands to the decimal representation of the + approximate number of seconds since the Epoch (Midnight, January 1, + 1970, UTC) at the time of the evaluation. This is the same value as + the value that is returned by the Portable Operating System Interface + (POSIX) time() function in most standards-compliant libraries. + + When the result of macro expansion is used in a domain name query, if + the expanded domain name exceeds 253 characters (the maximum length + of a domain name in this format), the left side is truncated to fit, + by removing successive domain labels (and their following dots) until + the total length does not exceed 253 characters. + + Uppercase macros expand exactly as their lowercase equivalents, and + are then URL escaped. URL escaping MUST be performed for characters + not in the "unreserved" set, which is defined in [RFC3986]. + + Care has to be taken by the sending ADMD so that macro expansion for + legitimate email does not exceed the 63-character limit on DNS + labels. The local-part of email addresses, in particular, can have + more than 63 characters between dots. + + To minimize DNS lookup resource requirements, it is better if sending + ADMDs avoid using the "s", "l", "o", or "h" macros in conjunction + with any mechanism directive. Although these macros are powerful and + allow per-user records to be published, they severely limit the + ability of implementations to cache results of check_host() and they + reduce the effectiveness of DNS caches. + + If no directive processed during the evaluation of check_host() + contains an "s", "l", "o", or "h" macro, then the results of the + evaluation can be cached on the basis of <domain> and <ip> alone for + as long as the DNS record involved with the shortest Time to Live + (TTL) has not expired. + +7.4. Expansion Examples + + The <sender> is strong-bad@email.example.com. The IPv4 SMTP client + IP is 192.0.2.3. The IPv6 SMTP client IP is 2001:db8::cb01. The PTR + domain name of the client IP is mx.example.org. + + + + + + + + + + + + +Kitterman Standards Track [Page 32] + +RFC 7208 Sender Policy Framework (SPF) April 2014 + + + macro expansion + ------- ---------------------------- + %{s} strong-bad@email.example.com + %{o} email.example.com + %{d} email.example.com + %{d4} email.example.com + %{d3} email.example.com + %{d2} example.com + %{d1} com + %{dr} com.example.email + %{d2r} example.email + %{l} strong-bad + %{l-} strong.bad + %{lr} strong-bad + %{lr-} bad.strong + %{l1r-} strong + + macro-string expansion + -------------------------------------------------------------------- + %{ir}.%{v}._spf.%{d2} 3.2.0.192.in-addr._spf.example.com + %{lr-}.lp._spf.%{d2} bad.strong.lp._spf.example.com + + %{lr-}.lp.%{ir}.%{v}._spf.%{d2} + bad.strong.lp.3.2.0.192.in-addr._spf.example.com + + %{ir}.%{v}.%{l1r-}.lp._spf.%{d2} + 3.2.0.192.in-addr.strong.lp._spf.example.com + + %{d2}.trusted-domains.example.net + example.com.trusted-domains.example.net + + IPv6: + %{ir}.%{v}._spf.%{d2} 1.0.b.c.0.0.0.0. + 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6._spf.example.com + +8. Result Handling + + This section provides guidance for SPF verifier operators in response + to the various possible outputs of check_host() on a message. + Definitions of SPF results are presented in Section 2.6; this section + provides more detail on each for use in developing local policy for + message handling. + + Every operating environment is different. There are some receivers + for whom strict adherence to SPF is appropriate, and definitive + treatment of messages that are evaluated to be explicitly + unauthorized ("fail" and sometimes "softfail") is the norm. There + are others for which the "false negative" cases are more of a + + + +Kitterman Standards Track [Page 33] + +RFC 7208 Sender Policy Framework (SPF) April 2014 + + + concern. This concern is typically handled by merely recording the + result in the header and allowing the message to pass on for + additional processing. There are still others where SPF is one of + several inputs to the message-handling decision. As such, there is + no comprehensive normative requirement for message handling in + response to any particular result. This section is provided to + present a complete picture of the likely cause of each result and, + where available, the experience gained during experimental + deployment. + + There are essentially two classes of handling choices: + + o Handling within the SMTP session that attempted to deliver the + message, such as by returning a permanent SMTP error (rejection) + or temporary SMTP error ("try again later"); + + o Permitting the message to pass (a successful SMTP reply code) and + adding an additional header field that indicates the result + returned by check_host() and other salient details; this is + discussed in more detail in Section 9. + +8.1. None + + With a "none" result, the SPF verifier has no information at all + about the authorization or lack thereof of the client to use the + checked identity or identities. The check_host() function completed + without errors but was not able to reach any conclusion. + +8.2. Neutral + + A "neutral" result indicates that although a policy for the identity + was discovered, there is no definite assertion (positive or negative) + about the client. + + A "neutral" result MUST be treated exactly like the "none" result; + the distinction exists only for informational purposes. Treating + "neutral" more harshly than "none" would discourage ADMDs from + testing the use of SPF records (see Section 10.1). + +8.3. Pass + + A "pass" result means the client is authorized to inject mail with + the given identity. The domain can now, in the sense of reputation, + be considered responsible for sending the message. Further policy + checks can now proceed with confidence in the legitimate use of the + identity. This is further discussed in Appendix G.1. + + + + + +Kitterman Standards Track [Page 34] + +RFC 7208 Sender Policy Framework (SPF) April 2014 + + +8.4. Fail + + A "fail" result is an explicit statement that the client is not + authorized to use the domain in the given identity. Disposition of + SPF fail messages is a matter of local policy. See Appendix G.2 for + considerations on developing local policy. + + If the checking software chooses to reject the mail during the SMTP + transaction, then it SHOULD use an SMTP reply code of 550 (see + [RFC5321]) and, if supported, the 5.7.1 enhanced status code (see + [RFC3463], Section 3.8), in addition to an appropriate reply text. + The check_host() function will return either a default explanation + string or one from the domain that published the SPF records (see + Section 6.2). If the information does not originate with the + checking software, it is good to make it clear that the text is + provided by the sender's domain. For example: + + 550 5.7.1 SPF MAIL FROM check failed: + 550 5.7.1 The domain example.com explains: + 550 5.7.1 Please see http://www.example.com/mailpolicy.html + + If the checking software chooses not to reject the mail during the + SMTP transaction, then it SHOULD add a Received-SPF or + Authentication-Results header field (see Section 9) to communicate + this result to downstream message processors. While this is true for + all SPF results, it is of particular importance for "fail" results + since the message is explicitly not authorized by the ADMD. + +8.5. Softfail + + A "softfail" result ought to be treated as somewhere between "fail" + and "neutral"/"none". The ADMD believes the host is not authorized + but is not willing to make a strong policy statement. Receiving + software SHOULD NOT reject the message based solely on this result, + but MAY subject the message to closer scrutiny than normal. + + The ADMD wants to discourage the use of this host and thus desires + limited feedback when a "softfail" result occurs. For example, the + recipient's MUA could highlight the "softfail" status, or the + receiving MTA could give the sender a message using greylisting + [RFC6647], with a note the first time the message is received, but + accept it on a later attempt based on receiver policy. + + + + + + + + + +Kitterman Standards Track [Page 35] + +RFC 7208 Sender Policy Framework (SPF) April 2014 + + +8.6. Temperror + + A "temperror" result means the SPF verifier encountered a transient + (generally DNS) error while performing the check. Checking software + can choose to accept or temporarily reject the message. If the + message is rejected during the SMTP transaction for this reason, the + software SHOULD use an SMTP reply code of 451 and, if supported, the + 4.4.3 enhanced status code (see Section 3.5 of [RFC3463]). These + errors can be caused by problems in either the sender's or receiver's + DNS software. See Appendix G.4 for considerations on developing + local policy. + +8.7. Permerror + + A "permerror" result means the domain's published records could not + be correctly interpreted. This signals an error condition that + definitely requires DNS operator intervention to be resolved. If the + message is rejected during the SMTP transaction for this reason, the + software SHOULD use an SMTP reply code of 550 and, if supported, the + 5.5.2 enhanced status code (see [RFC3463], Section 3.6). Be aware + that if the ADMD uses macros (Section 7), it is possible that this + result is due to the checked identities having an unexpected format. + It is also possible that this result is generated by certain SPF + verifiers due to the input arguments having an unexpected format; see + Section 4.8. See Appendix G.3 for considerations on developing local + policy. + +9. Recording the Result + + To provide downstream agents, such as MUAs, with the information they + might need in terms of evaluating or representing the apparent safety + of the message content, it is RECOMMENDED that SMTP receivers record + the result of SPF processing in the message header. For SPF verifier + operators that choose to record SPF results in the header of the + message for processing by internal filters or MUAs, two methods are + presented: Section 9.1 defines the Received-SPF field, which is the + results field originally defined for SPF use. Section 9.2 discusses + the Authentication-Results header field [RFC7001], which was + specified more recently and is designed for use by SPF and other + authentication methods. + + Both are in common use, and hence both are included here. However, + it is important to note that they were designed to serve slightly + different purposes. Received-SPF is intended to include enough + information to enable reconstruction of the SPF evaluation of the + message, while Authentication-Results is designed only to relay the + result itself and related output details of likely use to end users + (e.g., what property of the message was actually authenticated and + + + +Kitterman Standards Track [Page 36] + +RFC 7208 Sender Policy Framework (SPF) April 2014 + + + what it contained), leaving reconstructive work to the purview of + system logs and the Received field contents. Also, Received-SPF + relies on compliance of agents within the receiving ADMD to adhere to + the header field ordering rules of [RFC5321] and [RFC5322], while + Authentication-Results includes some provisions to protect against + non-compliant implementations. + + An SPF verifier operator could choose to use both to serve different + downstream agents. In such cases, care needs to be taken to ensure + that both fields are conveying the same details, or unexpected + results can occur. + +9.1. The Received-SPF Header Field + + The Received-SPF header field is a trace field (see [RFC5322], + Section 3.6.7) and SHOULD be prepended to the existing header, above + the Received: field that is generated by the SMTP receiver. It MUST + appear above all other Received-SPF fields in the message. The + header field has the following format: + + header-field = "Received-SPF:" [CFWS] result FWS [comment FWS] + [ key-value-list ] CRLF + + result = "pass" / "fail" / "softfail" / "neutral" / + "none" / "temperror" / "permerror" + + key-value-list = key-value-pair *( ";" [CFWS] key-value-pair ) + [";"] + + key-value-pair = key [CFWS] "=" ( dot-atom / quoted-string ) + + key = "client-ip" / "envelope-from" / "helo" / + "problem" / "receiver" / "identity" / + "mechanism" / name + + identity = "mailfrom" ; for the "MAIL FROM" identity + / "helo" ; for the "HELO" identity + / name ; other identities + + dot-atom = <unquoted word as per [RFC5322]> + quoted-string = <quoted string as per [RFC5322]> + comment = <comment string as per [RFC5322]> + CFWS = <comment or folding white space as per [RFC5322]> + FWS = <folding white space as per [RFC5322]> + CRLF = <standard end-of-line token as per [RFC5322]> + + + + + + +Kitterman Standards Track [Page 37] + +RFC 7208 Sender Policy Framework (SPF) April 2014 + + + The header field SHOULD include a "(...)" style comment after the + result, conveying supporting information for the result, such as + <ip>, <sender>, and <domain>. + + The following key-value pairs are designed for later machine parsing. + SPF verifiers SHOULD give enough information so that the SPF results + can be verified -- that is, at least "client-ip", "helo", and, if the + "MAIL FROM" identity was checked, "envelope-from". + + client-ip the IP address of the SMTP client + + envelope-from the envelope sender mailbox + + helo the host name given in the HELO or EHLO command + + mechanism the mechanism that matched (if no mechanisms matched, + substitute the word "default") + + problem if an error was returned, details about the error + + receiver the host name of the SPF verifier + + identity the identity that was checked; see the <identity> + ABNF rule + + Other keys MAY be defined by SPF verifiers. + + SPF verifiers MUST make sure that the Received-SPF header field does + not contain invalid characters, is not excessively long (see + [RFC5322], Section 2.1.1), and does not contain malicious data that + has been provided by the sender. + + Examples of various header field styles that could be generated are + the following: + + Received-SPF: pass (mybox.example.org: domain of + myname@example.com designates 192.0.2.1 as permitted sender) + receiver=mybox.example.org; client-ip=192.0.2.1; + envelope-from="myname@example.com"; helo=foo.example.com; + + Received-SPF: fail (mybox.example.org: domain of + myname@example.com does not designate + 192.0.2.1 as permitted sender) + identity=mailfrom; client-ip=192.0.2.1; + envelope-from="myname@example.com"; + + + + + + +Kitterman Standards Track [Page 38] + +RFC 7208 Sender Policy Framework (SPF) April 2014 + + + Received-SPF: pass (mybox.example.org: domain of + myname@example.com designates 192.0.2.1 as permitted sender) + receiver=mybox.example.org; client-ip=192.0.2.1; + mechanism=ip4:192.0.2.1; envelope-from="myname@example.com"; + helo=foo.example.com; + +9.2. SPF Results in the Authentication-Results Header Field + + As mentioned in Section 9, the Authentication-Results header field is + designed to communicate lists of tests a border MTA did and their + results. The specified elements of the field provide less + information than the Received-SPF field: + + Authentication-Results: myhost.example.org; spf=pass + smtp.mailfrom=example.net + + Received-SPF: pass (myhost.example.org: domain of + myname@example.com designates 192.0.2.1 as permitted sender) + receiver=mybox.example.org; client-ip=192.0.2.1; + envelope-from="myname@example.com"; helo=foo.example.com; + + It is, however, possible to add CFWS in the "reason" part of an + Authentication-Results header field and provide the equivalent + information, if desired. + + As an example, an expanded Authentication-Results header field might + look like (for a "MAIL FROM" check in this example): + + Authentication-Results: myhost.example.org; spf=pass + reason="client-ip=192.0.2.1; smtp.helo=foo.example.com" + smtp.mailfrom=user@example.net + +10. Effects on Infrastructure + + This section outlines the major implications that adoption of this + protocol will have on various entities involved in Internet email. + It is intended to make clear to the reader where this protocol + knowingly affects the operation of such entities. This section is + not a "how-to" manual, or a "best practices" document, and it is not + a comprehensive list of what such entities ought to do in light of + this specification. + + This section provides operational advice and instruction only. It is + non-normative. + + [RFC5598] describes the Internet email architecture. This section is + organized based on the different segments of the architecture. + + + + +Kitterman Standards Track [Page 39] + +RFC 7208 Sender Policy Framework (SPF) April 2014 + + +10.1. Sending Domains + + Originating ADMDs (ADministrative Management Domains -- + Sections 2.2.1 and 2.3 of [RFC5598]) that wish to be compliant with + this specification will need to determine the list of relays + ([RFC5598], Section 2.2.2) that they allow to use their domain name + in the "HELO" and "MAIL FROM" identities when relaying to other + ADMDs. It is recognized that forming such a list is not just a + simple technical exercise, but involves policy decisions with both + technical and administrative considerations. + +10.1.1. DNS Resource Considerations + + Minimizing the DNS resources needed for SPF lookups can be done by + choosing directives that require less DNS information and by placing + lower-cost mechanisms earlier in the SPF record. + + Section 4.6.4 specifies the limits receivers have to use. It is + essential to publish records that do not exceed these requirements. + It is also required to carefully weigh the cost and the + maintainability of licit solutions. + + For example, consider a domain set up as follows: + + example.com. IN MX 10 mx.example.com. + IN MX 20 mx2.example.com. + mx.example.com. IN A 192.0.2.1 + mx2.example.com. IN A 192.0.2.129 + + Assume the administrative point is to authorize (pass) mx and mx2 + while failing every other host. Compare the following solutions: + + Best record: + example.com. IN TXT "v=spf1 ip4:192.0.2.1 ip4:192.0.2.129 -all" + + Good record: + $ORIGIN example.com. + @ IN TXT "v=spf1 a:authorized-spf.example.com -all" + authorized-spf IN A 192.0.2.1 + IN A 192.0.2.129 + + Expensive record: + example.com. IN TXT "v=spf1 mx:example.com -all" + + Wasteful, bad record: + example.com. IN TXT "v=spf1 ip4:192.0.2.0/24 mx -all" + + + + + +Kitterman Standards Track [Page 40] + +RFC 7208 Sender Policy Framework (SPF) April 2014 + + +10.1.2. Administrator's Considerations + + There might be administrative considerations: using "a" over "ip4" or + "ip6" allows hosts to be renumbered easily at the cost of a DNS query + per receiver. Using "mx" over "a" allows the set of mail hosts to be + changed easily. Unless such changes are common, it is better to use + the less resource-intensive mechanisms like "ip4" and "ip6" over "a" + or "a" over "mx". + + In some specific cases, standard advice on record content is + appropriate. Publishing SPF records for domains that send no mail is + a well-established best practice. The record for a domain that sends + no mail is: + + www.example.com. IN TXT "v=spf1 -all" + + Publishing SPF records for individual hosts is also best practice. + The host name is generally the identity used in the 5321.HELO/.EHLO + command. In the case of messages with a null 5321.MailFrom, this is + used as the domain for 5321.MailFrom SPF checks, in addition to being + used in 5321.HELO/.EHLO-based SPF checks. The standard SPF record + for an individual host that is involved in mail processing is: + + relay.example.com. IN TXT "v=spf1 a -all" + + Validating correct deployment is difficult. [RFC6652] describes one + mechanism for soliciting feedback on SPF failures. Another + suggestion can be found in Appendix C. + + Regardless of the method used, understanding the ADMD's outbound mail + architecture is essential to effective deployment. + +10.1.3. Bounces + + As explained in Section 2.4, [RFC5321] allows the MAIL FROM to be + null, which is typical of some Delivery Status Notifications + [RFC3464], commonly called email bounces. In this case, the only + entity available for performing an SPF check is the "HELO" identity + defined in Section 1.1.4. SPF functionality is enhanced by + administrators ensuring this identity is set correctly and has an + appropriate SPF record. It is normal to have the "HELO" identity set + to the host name instead of the domain. Zone file generation for + significant numbers of hosts can be consolidated using the "redirect" + modifier and scripted for initial deployment. Specific deployment + advice is given above in Section 10.1.2. + + + + + + +Kitterman Standards Track [Page 41] + +RFC 7208 Sender Policy Framework (SPF) April 2014 + + +10.2. Receivers + + SPF results can be used in combination with other methods to + determine the final local disposition (either positive or negative) + of a message. It can also be considered dispositive on its own. + + An attempt to have one organization (sender) direct the email- + handling policies of another (receiver) is inherently challenging and + often controversial. As stated elsewhere in this document, there is + no comprehensive normative requirement for specific handling of a + message based on SPF results. The information presented in Section 8 + and in Appendix G is offered for receiver consideration when forming + local handling policies. + + The primary considerations are that SPF might return "pass" for mail + that is ultimately harmful (e.g., spammers that arrange for SPF to + pass using disposable domain names, or virus or spam outbreaks from + within trusted sources), and might also return "fail" for mail that + is ultimately legitimate (e.g., legitimate mail that has traversed a + mail alias). It is important to take both of these cases under + consideration when establishing local handling policy. + +10.3. Mediators + + Mediators are a type of User Actor [RFC5598]. That is, a mediator + takes 'delivery' of a message and posts a 'submission' of a new + message. The mediator can make the newly posted message be as + similar to or as different from the original message as they wish. + Examples include mailing lists (see Section 5.3 of [RFC5598]) and + ReSenders (Section 5.2 of [RFC5598]). This is discussed in + [RFC5321], Section 3.9. For the operation of SPF, the essential + concern is the email address in the 5321.MailFrom command for the new + message. + + Because SPF evaluation is based on the IP address of the "last" + sending SMTP server, the address of the mediator will be used, rather + than the address of the SMTP server that sent the message to the + mediator. Some mediators retain the email address from the original + message, while some use a new address. + + If the address is the same as for the original message, and the + original message had an associated SPF record, then the SPF + evaluation will fail unless mitigations such as those described in + Appendix D are used. + + + + + + + +Kitterman Standards Track [Page 42] + +RFC 7208 Sender Policy Framework (SPF) April 2014 + + +11. Security Considerations + +11.1. Processing Limits + + As with most aspects of email, there are a number of ways that + malicious parties could use the protocol as an avenue for a DoS + attack. The processing limits outlined in Section 4.6.4 are designed + to prevent attacks such as the following: + + o A malicious party could create an SPF record with many references + to a victim's domain and send many emails to different SPF + verifiers; those SPF verifiers would then create a DoS attack. In + effect, the SPF verifiers are being used to amplify the attacker's + bandwidth by using fewer octets in the SMTP session than are used + by the DNS queries. Using SPF verifiers also allows the attacker + to hide the true source of the attack. This potential attack is + based on large volumes of mail being transmitted. + + o Whereas implementations of check_host() are supposed to limit the + number of DNS lookups, malicious domains could publish records + that exceed these limits in an attempt to waste computation effort + at their targets when they send them mail. Malicious domains + could also design SPF records that cause particular + implementations to use excessive memory or CPU or to trigger bugs. + If a receiver is configured to accept mail with an SPF result of + "temperror", such an attack might result in mail that would + otherwise have been rejected due to an SPF "fail" result being + accepted. This potential attack is based on specially crafted SPF + records being used to exhaust DNS resources of the victim. + + o Malicious parties could send a large volume of mail purporting to + come from the intended target to a wide variety of legitimate mail + hosts. These legitimate machines would then present a DNS load on + the target as they fetched the relevant records. + + o Malicious parties could, in theory, use SPF records as a vehicle + for DNS lookup amplification for a DoS attack. In this scenario, + the attacker publishes an SPF record in its own DNS that uses "a" + and "mx" mechanisms directed toward the intended victim, e.g., + "a:example.com a:foo.example.com a:bar.example.com ..." and then + distributes mail with a MAIL FROM value including its own domain + in large volume to a wide variety of destinations. Any such + destination operating an SPF verifier will begin querying all of + the names associated with the "a" mechanisms in that record. The + names used in the record needn't exist for the attack to be + effective. Operational experience since the publication of + [RFC4408] suggests that mitigation of this class of attack can be + accomplished with minimal impact on the deployed base by having + + + +Kitterman Standards Track [Page 43] + +RFC 7208 Sender Policy Framework (SPF) April 2014 + + + the verifier abort processing and return "permerror" + (Section 2.6.7) as soon as more than two "void lookups" have been + encountered (defined in Section 4.6.4). + + Of these, the case of a third party referenced in the SPF record is + the easiest for a DoS attack to effectively exploit. As a result, + limits that might seem reasonable for an individual mail server can + still allow an unreasonable amount of bandwidth amplification. + Therefore, the processing limits need to be quite low. + +11.2. SPF-Authorized Email May Contain Other False Identities + + The "MAIL FROM" and "HELO" identity authorizations do not provide + assurance about the authorization/authenticity of other identities + used in the message. It is entirely possible for a malicious sender + to inject a message using his own domain in the identities used by + SPF and have that domain's SPF record authorize the sending host, and + yet the message can easily list other identities in its header. + Unless the user or the MUA takes care to note that the authorized + identity does not match the other more commonly presented identities + (such as the From: header field), the user might be lulled into a + false sense of security. + +11.3. Spoofed DNS and IP Data + + There are two aspects of this protocol that malicious parties could + exploit to undermine the validity of the check_host() function: + + o The evaluation of check_host() relies heavily on DNS. A malicious + attacker could attack the DNS infrastructure and cause + check_host() to see spoofed DNS data, and then return incorrect + results. This could include returning "pass" for an <ip> value + where the actual domain's record would evaluate to "fail". See + [RFC3833] for a description of DNS weaknesses, and see [RFC4033] + for a countermeasure. + + o The client IP address, <ip>, is assumed to be correct. In a + modern, correctly configured system, the risk of this not being + true is nil. + +11.4. Cross-User Forgery + + By definition, SPF policies just map domain names to sets of + authorized MTAs, not whole email addresses to sets of authorized + users. Although the "l" macro (Section 7) provides a limited way to + define individual sets of authorized MTAs for specific email + addresses, it is generally impossible to verify, through SPF, the use + of specific email addresses by individual users of the same MTA. + + + +Kitterman Standards Track [Page 44] + +RFC 7208 Sender Policy Framework (SPF) April 2014 + + + It is up to mail services and their MTAs to directly prevent + cross-user forgery: based on SMTP AUTH ([RFC4954]), users have to be + restricted to using only those email addresses that are actually + under their control (see Section 6.1 of [RFC6409]). Another means to + verify the identity of individual users is message cryptography, such + as Pretty Good Privacy (PGP) ([RFC4880]) or S/MIME ([RFC5751]). + +11.5. Untrusted Information Sources + + An SPF-compliant receiver gathers information from the SMTP commands + it receives and from the published DNS records of the sending domain + holder (e.g., "HELO" domain name, the "MAIL FROM" address from the + envelope, and SPF DNS records published by the domain holder). These + parameters are not validated in the SMTP process. + + All of these pieces of information are generated by actors outside of + the authority of the receiver, and thus are not guaranteed to be + accurate or legitimate. + +11.5.1. Recorded Results + + This information, passed to the receiver in the Received-SPF: or + Authentication-Results: trace fields, can be returned to the client + MTA as an SMTP rejection message. If such an SMTP rejection message + is generated, the information from the trace fields has to be checked + for such problems as invalid characters and excessively long lines. + +11.5.2. External Explanations + + When the authorization check fails, an explanation string could be + included in the reject response. Both the sender and the rejecting + receiver need to be aware that the explanation was determined by the + publisher of the SPF record checked and, in general, not the + receiver. The explanation can contain malicious URLs, or it might be + offensive or misleading. + + Explanations returned to sender domains due to "exp" modifiers + (Section 6.2) were generated by the sender policy published by the + domain holders themselves. As long as messages are only returned + with non-delivery notifications ([RFC3464]) to domains publishing the + explanation strings from their own DNS SPF records, the only affected + parties are the original publishers of the domain's SPF records. + + In practice, such non-delivery notifications can be misdirected, such + as when an MTA accepts an email and only later generates the + notification to a forged address, or when an email forwarder does not + direct the bounce back to the original sender. + + + + +Kitterman Standards Track [Page 45] + +RFC 7208 Sender Policy Framework (SPF) April 2014 + + +11.5.3. Macro Expansion + + Macros (Section 7) allow senders to inject arbitrary text (any + non-null [US-ASCII] character) into receiver DNS queries. It is + necessary to be prepared for hostile or unexpected content. + +11.6. Privacy Exposure + + Checking SPF records causes DNS queries to be sent to the domain + owner. These DNS queries, especially if they are caused by the + "exists" mechanism, can contain information about who is sending + email and likely to which MTA the email is being sent. This can + introduce some privacy concerns, which are more or less of an issue + depending on local laws and the relationship between the ADMD and the + person sending the email. + +11.7. Delivering Mail Producing a "Fail" Result + + Operators that choose to deliver mail for which SPF produces a "fail" + result need to understand that they are admitting content that is + explicitly not authorized by the purported sender. While there are + known failure modes that can be considered "false negatives", the + distinct choice to admit those messages increases end-user exposure + to likely harm. This is especially true for domains belonging to + known good actors that are typically well-behaved; unauthorized mail + from those sources might well be subjected to much higher skepticism + and content analysis. + + SPF does not, however, include the capacity to distinguish good + actors from bad ones, nor does it handle the concept of known actors + versus unknown ones. Those notions are out of scope for this + specification. + +12. Collected ABNF + + This section is normative, and any discrepancies with the ABNF + fragments in the preceding text are to be resolved in favor of this + grammar. + + See [RFC5234] for ABNF notation. Please note that as per this ABNF + definition, literal text strings (those in quotes) are case- + insensitive. Hence, "mx" matches "mx", "MX", "mX", and "Mx". + + record = version terms *SP + version = "v=spf1" + + terms = *( 1*SP ( directive / modifier ) ) + + + + +Kitterman Standards Track [Page 46] + +RFC 7208 Sender Policy Framework (SPF) April 2014 + + + directive = [ qualifier ] mechanism + qualifier = "+" / "-" / "?" / "~" + mechanism = ( all / include + / a / mx / ptr / ip4 / ip6 / exists ) + + all = "all" + include = "include" ":" domain-spec + a = "a" [ ":" domain-spec ] [ dual-cidr-length ] + mx = "mx" [ ":" domain-spec ] [ dual-cidr-length ] + ptr = "ptr" [ ":" domain-spec ] + ip4 = "ip4" ":" ip4-network [ ip4-cidr-length ] + ip6 = "ip6" ":" ip6-network [ ip6-cidr-length ] + exists = "exists" ":" domain-spec + + modifier = redirect / explanation / unknown-modifier + redirect = "redirect" "=" domain-spec + explanation = "exp" "=" domain-spec + unknown-modifier = name "=" macro-string + ; where name is not any known modifier + + ip4-cidr-length = "/" ("0" / %x31-39 0*1DIGIT) ; value range 0-32 + ip6-cidr-length = "/" ("0" / %x31-39 0*2DIGIT) ; value range 0-128 + dual-cidr-length = [ ip4-cidr-length ] [ "/" ip6-cidr-length ] + + ip4-network = qnum "." qnum "." qnum "." qnum + qnum = DIGIT ; 0-9 + / %x31-39 DIGIT ; 10-99 + / "1" 2DIGIT ; 100-199 + / "2" %x30-34 DIGIT ; 200-249 + / "25" %x30-35 ; 250-255 + ; conventional dotted-quad notation, e.g., 192.0.2.0 + ip6-network = <as per Section 2.2 of [RFC4291]> + ; e.g., 2001:db8::cd30 + + domain-spec = macro-string domain-end + domain-end = ( "." toplabel [ "." ] ) / macro-expand + + toplabel = ( *alphanum ALPHA *alphanum ) / + ( 1*alphanum "-" *( alphanum / "-" ) alphanum ) + ; LDH rule plus additional TLD restrictions + ; (see Section 2 of [RFC3696] for background) + alphanum = ALPHA / DIGIT + + explain-string = *( macro-string / SP ) + + macro-string = *( macro-expand / macro-literal ) + macro-expand = ( "%{" macro-letter transformers *delimiter "}" ) + / "%%" / "%_" / "%-" + + + +Kitterman Standards Track [Page 47] + +RFC 7208 Sender Policy Framework (SPF) April 2014 + + + macro-literal = %x21-24 / %x26-7E + ; visible characters except "%" + macro-letter = "s" / "l" / "o" / "d" / "i" / "p" / "h" / + "c" / "r" / "t" / "v" + transformers = *DIGIT [ "r" ] + delimiter = "." / "-" / "+" / "," / "/" / "_" / "=" + + name = ALPHA *( ALPHA / DIGIT / "-" / "_" / "." ) + + header-field = "Received-SPF:" [CFWS] result FWS [comment FWS] + [ key-value-list ] CRLF + + result = "pass" / "fail" / "softfail" / "neutral" / + "none" / "temperror" / "permerror" + + key-value-list = key-value-pair *( ";" [CFWS] key-value-pair ) + [";"] + + key-value-pair = key [CFWS] "=" ( dot-atom / quoted-string ) + + key = "client-ip" / "envelope-from" / "helo" / + "problem" / "receiver" / "identity" / + "mechanism" / name + + identity = "mailfrom" ; for the "MAIL FROM" identity + / "helo" ; for the "HELO" identity + / name ; other identities + + sender = Mailbox + ip = ip4-network / ip6-network + ALPHA = <A-Z / a-z as per [RFC5234]> + DIGIT = <0-9 as per [RFC5234]> + SP = <space character as per [RFC5234]> + dot-atom = <unquoted word as per [RFC5322]> + quoted-string = <quoted string as per [RFC5322]> + comment = <comment string as per [RFC5322]> + CFWS = <comment or folding white space as per [RFC5322]> + FWS = <folding white space as per [RFC5322]> + CRLF = <standard end-of-line token as per [RFC5322]> + +13. Contributors and Acknowledgements + + This document is largely based on the work of Meng Weng Wong, Mark + Lentczner, and Wayne Schlitt. Although, as this section + acknowledges, many people have contributed to this document, a very + large portion of the writing and editing is due to Meng, Mark, and + Wayne. + + + + +Kitterman Standards Track [Page 48] + +RFC 7208 Sender Policy Framework (SPF) April 2014 + + + This design owes a debt of parentage to [RMX] by Hadmut Danisch and + to [DMP] by Gordon Fecyk. The idea of using a DNS record to check + the legitimacy of an email address traces its ancestry further back + through messages on the namedroppers mailing list by Paul Vixie + [Vixie] (based on suggestion by Jim Miller) and by David Green + [Green]. + + Philip Gladstone contributed the concept of macros to the + specification, multiplying the expressiveness of the language and + making per-user and per-IP lookups possible. + + The authors of both this document and [RFC4408] would also like to + thank the literally hundreds of individuals who have participated in + the development of this design. They are far too numerous to name, + but they include the following: + + The participants in the SPFbis working group. The folks on the + spf-discuss mailing list. The folks on the SPAM-L mailing list. + The folks on the IRTF ASRG mailing list. The folks on the IETF + MARID mailing list. The folks on #perl. + +14. IANA Considerations + +14.1. The SPF DNS Record Type + + Per [RFC4408], the IANA assigned the Resource Record Type and Qtype + from the "Domain Name System (DNS) Parameters" registry for the SPF + RR type with code 99. The format of this type is identical to the + TXT RR [RFC1035]. The character content of the record is encoded as + [US-ASCII]. + + Studies have shown that RRTYPE 99 has not seen any substantial use, + and in fact its existence and mechanism defined in [RFC4408] have led + to some interoperability issues. Accordingly, its use is no longer + appropriate for SPF version 1; implementations are not to use it. + + IANA has updated the "Resource Record (RR) TYPEs" registry to + indicate that this document is the reference document for that + RRTYPE. + + + + + + + + + + + + +Kitterman Standards Track [Page 49] + +RFC 7208 Sender Policy Framework (SPF) April 2014 + + +14.2. The Received-SPF Mail Header Field + + Per [RFC3864], the "Received-SPF:" header field is added to the IANA + "Permanent Message Header Field Names" registry. The following is + the registration template: + + Header field name: Received-SPF Applicable protocol: mail + ([RFC5322]) Status: standard Author/Change controller: IETF + Specification document(s): RFC 7208 + +14.3. SPF Modifier Registry + + IANA has changed the reference for the "exp" and "redirect" modifiers + in the "Modifier Names" registry, under Sender Policy Framework + Parameters, from [RFC4408] to this document. Their status is + unchanged. + +15. References + +15.1. Normative References + + [RFC1035] Mockapetris, P., "Domain names - implementation and + specification", STD 13, RFC 1035, November 1987. + + [RFC1123] Braden, R., "Requirements for Internet Hosts - Application + and Support", STD 3, RFC 1123, October 1989. + + [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate + Requirement Levels", BCP 14, RFC 2119, March 1997. + + [RFC3463] Vaudreuil, G., "Enhanced Mail System Status Codes", + RFC 3463, January 2003. + + [RFC3864] Klyne, G., Nottingham, M., and J. Mogul, "Registration + Procedures for Message Header Fields", BCP 90, RFC 3864, + September 2004. + + [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform + Resource Identifier (URI): Generic Syntax", STD 66, + RFC 3986, January 2005. + + [RFC4291] Hinden, R. and S. Deering, "IP Version 6 Addressing + Architecture", RFC 4291, February 2006. + + [RFC5234] Crocker, D. and P. Overell, "Augmented BNF for Syntax + Specifications: ABNF", STD 68, RFC 5234, January 2008. + + + + + +Kitterman Standards Track [Page 50] + +RFC 7208 Sender Policy Framework (SPF) April 2014 + + + [RFC5321] Klensin, J., "Simple Mail Transfer Protocol", RFC 5321, + October 2008. + + [RFC5322] Resnick, P., Ed., "Internet Message Format", RFC 5322, + October 2008. + + [RFC5598] Crocker, D., "Internet Mail Architecture", RFC 5598, + July 2009. + + [RFC5890] Klensin, J., "Internationalized Domain Names for + Applications (IDNA): Definitions and Document Framework", + RFC 5890, August 2010. + + [RFC7001] Kucherawy, M., "Message Header Field for Indicating + Message Authentication Status", RFC 7001, September 2013. + + [US-ASCII] + American National Standards Institute (formerly United + States of America Standards Institute), "USA Code for + Information Interchange, X3.4", 1968. + + ANSI X3.4-1968 has been replaced by newer versions with + slight modifications, but the 1968 version remains + definitive for the Internet. + +15.2. Informative References + + [BATV] Levine, J., Crocker, D., Silberman, S., and T. Finch, + "Bounce Address Tag Validation (BATV)", Work in Progress, + May 2008. + + [DMP] Fecyk, G., "Designated Mailers Protocol", Work in + Progress, May 2004. + + [Green] Green, D., "Domain-Authorized SMTP Mail", June 2002, + <http://www.mhonarc.org/archive/html/ietf-asrg/2003-03/ + msg01525.html>. + + [RFC1034] Mockapetris, P., "Domain names - concepts and facilities", + STD 13, RFC 1034, November 1987. + + [RFC1983] Malkin, G., "Internet Users' Glossary", RFC 1983, + August 1996. + + [RFC2308] Andrews, M., "Negative Caching of DNS Queries (DNS + NCACHE)", RFC 2308, March 1998. + + + + + +Kitterman Standards Track [Page 51] + +RFC 7208 Sender Policy Framework (SPF) April 2014 + + + [RFC2671] Vixie, P., "Extension Mechanisms for DNS (EDNS0)", + RFC 2671, August 1999. + + [RFC2782] Gulbrandsen, A., Vixie, P., and L. Esibov, "A DNS RR for + specifying the location of services (DNS SRV)", RFC 2782, + February 2000. + + [RFC3464] Moore, K. and G. Vaudreuil, "An Extensible Message Format + for Delivery Status Notifications", RFC 3464, + January 2003. + + [RFC3696] Klensin, J., "Application Techniques for Checking and + Transformation of Names", RFC 3696, February 2004. + + [RFC3833] Atkins, D. and R. Austein, "Threat Analysis of the Domain + Name System (DNS)", RFC 3833, August 2004. + + [RFC3834] Moore, K., "Recommendations for Automatic Responses to + Electronic Mail", RFC 3834, August 2004. + + [RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S. + Rose, "DNS Security Introduction and Requirements", + RFC 4033, March 2005. + + [RFC4408] Wong, M. and W. Schlitt, "Sender Policy Framework (SPF) + for Authorizing Use of Domains in E-Mail, Version 1", + RFC 4408, April 2006. + + [RFC4632] Fuller, V. and T. Li, "Classless Inter-domain Routing + (CIDR): The Internet Address Assignment and Aggregation + Plan", BCP 122, RFC 4632, August 2006. + + [RFC4880] Callas, J., Donnerhacke, L., Finney, H., Shaw, D., and R. + Thayer, "OpenPGP Message Format", RFC 4880, November 2007. + + [RFC4954] Siemborski, R. and A. Melnikov, "SMTP Service Extension + for Authentication", RFC 4954, July 2007. + + [RFC5507] IAB, Faltstrom, P., Austein, R., and P. Koch, "Design + Choices When Expanding the DNS", RFC 5507, April 2009. + + [RFC5751] Ramsdell, B. and S. Turner, "Secure/Multipurpose Internet + Mail Extensions (S/MIME) Version 3.2 Message + Specification", RFC 5751, January 2010. + + [RFC5782] Levine, J., "DNS Blacklists and Whitelists", RFC 5782, + February 2010. + + + + +Kitterman Standards Track [Page 52] + +RFC 7208 Sender Policy Framework (SPF) April 2014 + + + [RFC6409] Gellens, R. and J. Klensin, "Message Submission for Mail", + STD 72, RFC 6409, November 2011. + + [RFC6647] Kucherawy, M. and D. Crocker, "Email Greylisting: An + Applicability Statement for SMTP", RFC 6647, June 2012. + + [RFC6648] Saint-Andre, P., Crocker, D., and M. Nottingham, + "Deprecating the "X-" Prefix and Similar Constructs in + Application Protocols", BCP 178, RFC 6648, June 2012. + + [RFC6652] Kitterman, S., "Sender Policy Framework (SPF) + Authentication Failure Reporting Using the Abuse Reporting + Format", RFC 6652, June 2012. + + [RFC6686] Kucherawy, M., "Resolution of the Sender Policy Framework + (SPF) and Sender ID Experiments", RFC 6686, July 2012. + + [RFC6891] Damas, J., Graff, M., and P. Vixie, "Extension Mechanisms + for DNS (EDNS(0))", STD 75, RFC 6891, April 2013. + + [RMX] Danisch, H., "The RMX DNS RR and method for lightweight + SMTP sender authorization", Work in Progress, May 2004. + + [Vixie] Vixie, P., "Repudiating MAIL FROM", 2002, + <http://marc.info/?l=namedroppers&m=102298170127004&w=4>. + + + + + + + + + + + + + + + + + + + + + + + + + + +Kitterman Standards Track [Page 53] + +RFC 7208 Sender Policy Framework (SPF) April 2014 + + +Appendix A. Extended Examples + + These examples are based on the following DNS setup: + + ; A domain with two mail servers, two hosts, and two servers + ; at the domain name + $ORIGIN example.com. + @ MX 10 mail-a + MX 20 mail-b + A 192.0.2.10 + A 192.0.2.11 + amy A 192.0.2.65 + bob A 192.0.2.66 + mail-a A 192.0.2.129 + mail-b A 192.0.2.130 + www CNAME example.com. + + ; A related domain + $ORIGIN example.org. + @ MX 10 mail-c + mail-c A 192.0.2.140 + + ; The reverse IP for those addresses + $ORIGIN 2.0.192.in-addr.arpa. + 10 PTR example.com. + 11 PTR example.com. + 65 PTR amy.example.com. + 66 PTR bob.example.com. + 129 PTR mail-a.example.com. + 130 PTR mail-b.example.com. + 140 PTR mail-c.example.org. + + ; A rogue reverse IP domain that claims to be + ; something it's not + $ORIGIN 0.0.10.in-addr.arpa. + 4 PTR bob.example.com. + + + + + + + + + + + + + + + +Kitterman Standards Track [Page 54] + +RFC 7208 Sender Policy Framework (SPF) April 2014 + + +A.1. Simple Examples + + These examples show various possible published records for + example.com and which values of <ip> would cause check_host() to + return "pass". Note that <domain> is "example.com". + + v=spf1 +all + + -- any <ip> passes + + v=spf1 a -all + + -- hosts 192.0.2.10 and 192.0.2.11 pass + + v=spf1 a:example.org -all + + -- no sending hosts pass since example.org has no A records + + v=spf1 mx -all + + -- sending hosts 192.0.2.129 and 192.0.2.130 pass + + v=spf1 mx:example.org -all + + -- sending host 192.0.2.140 passes + + v=spf1 mx mx:example.org -all + + -- sending hosts 192.0.2.129, 192.0.2.130, and 192.0.2.140 pass + + v=spf1 mx/30 mx:example.org/30 -all + + -- any sending host in 192.0.2.128/30 or 192.0.2.140/30 passes + + v=spf1 ptr -all + + -- sending host 192.0.2.65 passes (reverse DNS is valid and is + in example.com) + + -- sending host 192.0.2.140 fails (reverse DNS is valid, but not + in example.com) + + -- sending host 10.0.0.4 fails (reverse IP is not valid) + + + + + + + + +Kitterman Standards Track [Page 55] + +RFC 7208 Sender Policy Framework (SPF) April 2014 + + + v=spf1 ip4:192.0.2.128/28 -all + + -- sending host 192.0.2.65 fails + + -- sending host 192.0.2.129 passes + +A.2. Multiple Domain Example + + These examples show the effect of related records: + + example.org: "v=spf1 include:example.com include:example.net -all" + + This record would be used if mail from example.org actually came + through servers at example.com and example.net. Example.org's + designated servers are the union of example.com's and example.net's + designated servers. + + la.example.org: "v=spf1 redirect=example.org" + + ny.example.org: "v=spf1 redirect=example.org" + + sf.example.org: "v=spf1 redirect=example.org" + + These records allow a set of domains that all use the same mail + system to make use of that mail system's record. In this way, only + the mail system's record needs to be updated when the mail setup + changes. These domains' records never have to change. + +A.3. DNS Blacklist (DNSBL) Style Example + + Imagine that, in addition to the domain records listed above, there + are these (see [RFC5782]): + + $ORIGIN _spf.example.com. + mary.mobile-users A 127.0.0.2 + fred.mobile-users A 127.0.0.2 + 15.15.168.192.joel.remote-users A 127.0.0.2 + 16.15.168.192.joel.remote-users A 127.0.0.2 + + + + + + + + + + + + + +Kitterman Standards Track [Page 56] + +RFC 7208 Sender Policy Framework (SPF) April 2014 + + + The following records describe users at example.com who mail from + arbitrary servers, or who mail from personal servers. + + example.com: + + v=spf1 mx + include:mobile-users._spf.%{d} + include:remote-users._spf.%{d} + -all + + mobile-users._spf.example.com: + + v=spf1 exists:%{l1r+}.%{d} + + remote-users._spf.example.com: + + v=spf1 exists:%{ir}.%{l1r+}.%{d} + +A.4. Multiple Requirements Example + + Say that your sender policy requires both that the IP address is + within a certain range and that the reverse DNS for the IP matches. + This can be done several ways, including the following: + + example.com. SPF ( "v=spf1 " + "-include:ip4._spf.%{d} " + "-include:ptr._spf.%{d} " + "+all" ) + ip4._spf.example.com. SPF "v=spf1 -ip4:192.0.2.0/24 +all" + ptr._spf.example.com. SPF "v=spf1 -ptr +all" + + This example shows how the "-include" mechanism can be useful, how an + SPF record that ends in "+all" can be very restrictive, and the use + of De Morgan's Law. + +Appendix B. Changes in Implementation Requirements from RFC 4408 + + The modifications to implementation requirements from [RFC4408] are + all either (a) corrections to errors in [RFC4408] or (b) additional + documentation based on consensus of operational experience acquired + since the publication of [RFC4408]. + + o Use of DNS RR type SPF (99) has been removed from the protocol; + see [RFC6686] for background. + + o A new DNS-related processing limit based on "void lookups" has + been added (Section 4.6.4). + + + + +Kitterman Standards Track [Page 57] + +RFC 7208 Sender Policy Framework (SPF) April 2014 + + + o Use of the ptr mechanism and the %p macro has been strongly + discouraged (Sections 5.5 and 7.2). The ptr mechanism and the %p + macro remain part of the protocol because they were found to be in + use, but records ought to be updated to avoid them. + + o Use of the "Authentication-Results" header field [RFC7001] as a + possible alternative to use of the "Received-SPF" header field is + discussed (Section 9.2). + + o There have been a number of minor corrections to the ABNF to make + it more clear and correct (Section 12). SPF library implementers + should give the revised ABNF a careful review to determine if + implementation changes are needed. + + o Use of X- fields in the ABNF has been removed; see [RFC6648] for + background. + + o Ambiguity about how to deal with invalid <domain-spec> after macro + expansion has been documented. Depending on one specific behavior + has to be avoided (Section 4.8). + + o General operational information has been updated and expanded + based on eight years of post-[RFC4408] operations experience. See + Section 10 and Appendices D through G below. + + o Security considerations have been reviewed and updated + (Section 11). + +Appendix C. Further Testing Advice + + Another approach that can be helpful is to publish records that + include a "tracking exists:" mechanism. By looking at the name + server logs, a rough list can then be generated. For example: + + v=spf1 exists:_h.%{h}._l.%{l}._o.%{o}._i.%{i}._spf.%{d} ?all + + This associated macro expansion would cause the sending HELO domain, + local-part of the sending email address, domain part of the sending + email address, and the IP address from which the connection was + received to be embedded in an SPF query and logged in the sender's + DNS logs. + + This approach, which has been used since very early in the SPF + project, allows senders to unilaterally collect data to evaluate the + correctness of their SPF records. Unlike newer feedback mechanisms, + it does not require any special cooperation from SPF verifiers. A + similar example, one of the earliest SPF records published, can still + be found as of this writing at altavista.net. + + + +Kitterman Standards Track [Page 58] + +RFC 7208 Sender Policy Framework (SPF) April 2014 + + +Appendix D. SPF/Mediator Interactions + + There are three places that techniques can be used to ameliorate + unintended SPF failures with mediators. + +D.1. Originating ADMDs + + The beginning, when email is first sent: + + o "Neutral" results could be given for IP addresses that might be + forwarders, instead of "fail" results based on a list of known + reliable forwarders. For example: + + "v=spf1 mx ?exists:%{ir}.whitelist.example.org -all" + + This would cause a lookup on a DNS White List (DNSWL) and cause a + result of "fail" only for email not coming from either the + domain's mx host(s) (SPF pass) or whitelisted sources (SPF + neutral). This, in effect, outsources an element of sender policy + to the maintainer of the whitelist. + + o The "MAIL FROM" identity could have additional information in the + local-part that cryptographically identifies the mail as coming + from an authorized source. In this case, an SPF record such as + the following could be used: + + "v=spf1 mx exists:%{l}._spf_verify.%{d} -all" + + Then, a specialized DNS server can be set up to serve the + _spf_verify subdomain that validates the local-part. Although + this requires an extra DNS lookup, this happens only when the + email would otherwise be rejected as not coming from a known good + source. + + Note that due to the 63-character limit for domain labels, this + approach only works reliably if the local-part signature scheme is + guaranteed to either only produce local-parts with a maximum of + 63 characters or gracefully handle truncated local-parts. The + method used to secure the local-part is a local implementation + issue; it need not be standard. An example of one way to do it + can be found in [BATV]. + + o Similarly, a specialized DNS server could be set up that will + rate-limit the email coming from unexpected IP addresses. + + "v=spf1 mx exists:%{ir}._spf_rate.%{d} -all" + + + + + +Kitterman Standards Track [Page 59] + +RFC 7208 Sender Policy Framework (SPF) April 2014 + + + o SPF allows the creation of per-user policies for special cases. + For example, the following SPF record and appropriate wildcard DNS + records can be used: + + "v=spf1 mx redirect=%{l1r+}._at_.%{o}._spf.%{d}" + +D.2. Mediators + + The middle, when email is forwarded: + + o Mediators can solve the problem by rewriting the "MAIL FROM" to be + in their own domain. This means mail rejected from the external + mailbox will have to be forwarded back to the original sender by + the forwarding service. Various schemes to do this exist, though + they vary widely in complexity and resource requirements on the + part of the mediator. + + o Several popular MTAs can be forced from "alias" semantics to + "mailing list" semantics by configuring an additional alias with + "owner-" prepended to the original alias name (e.g., an alias of + "friends: george@example.com, fred@example.org" would need another + alias of the form "owner-friends: localowner"). + + o Mediators could reject mail that would "fail" SPF if forwarded + using an SMTP reply code of 551, User not local (see Section 3.4 + of [RFC5321]) to communicate the correct target address to resend + the mail to. + +D.3. Receiving ADMDs + + The end, when email is received: + + o If the owner of the external mailbox wishes to trust the mediator, + he can direct the external mailbox's MTA to skip SPF tests when + the client host belongs to the mediator. + + o Tests against other identities, such as the "HELO" identity, can + be used to override a failed test against the "MAIL FROM" + identity. + + o For larger domains, it might not be possible to have a complete or + accurate list of forwarding services used by the owners of the + domain's mailboxes. In such cases, whitelists of generally + recognized forwarding services could be employed. + + + + + + + +Kitterman Standards Track [Page 60] + +RFC 7208 Sender Policy Framework (SPF) April 2014 + + +Appendix E. Mail Services + + MSPs (Mail Service Providers -- Section 2.3 of [RFC5598]) that offer + mail services to third-party domains, such as the sending of bulk + mail, might want to adjust their configurations in light of the + authorization check described in this document. If the domain part + of the "MAIL FROM" identity used for such email uses one of the MSP's + domains, then the provider needs only to ensure that its sending host + is authorized by its own SPF record, if any. + + If the "MAIL FROM" identity does not use the MSP's domain, then extra + care has to be taken. The SPF record format has several options for + the third-party domain to authorize the service provider's MTAs to + send mail on its behalf. For MSPs, such as ISPs, that have a wide + variety of customers using the same MTA, steps are required to + mitigate the risk of cross-customer forgery (see Section 11.4). + +Appendix F. MTA Relays + + Relays are described in [RFC5598], Section 2.2.2. The authorization + check generally precludes the use of arbitrary MTA relays between the + sender and receiver of an email message. + + Within an organization, MTA relays can be effectively deployed. + However, for the purposes of this document, such relays are + effectively transparent. The SPF authorization check is a check + between border MTAs of different ADMDs. + + For mail senders, this means published SPF records have to authorize + any MTAs that actually send across the Internet. Usually, these are + just the border MTAs as internal MTAs simply forward mail to these + MTAs for relaying. + + The receiving ADMD will generally want to perform the authorization + check at the boundary MTAs, including all secondary MXs. Internal + MTAs (including MTAs that might serve as both boundary MTAs and + internal relays from secondary MXs when they are processing the + relayed mail stream) then do not perform the authorization test. To + perform the authorization test other than at the boundary, the host + that first transferred the message to the receiving ADMD has to be + determined, which can be difficult to extract from the message header + because (a) header fields can be forged or malformed, and (b) there's + no standard way to encode that information such that it can be + reliably extracted. Testing other than at the boundary is likely to + produce unreliable results. This is described further in Appendix D + of [RFC7001]. + + + + + +Kitterman Standards Track [Page 61] + +RFC 7208 Sender Policy Framework (SPF) April 2014 + + +Appendix G. Local Policy Considerations + + SPF results can be used in combination with other methods to + determine the final local disposition (either positive or negative) + of a message. It can also be considered dispositive on its own. + +G.1. Policy for SPF Pass + + SPF "pass" results can be used in combination with "whitelists" of + known "good" domains to bypass some or all additional pre-delivery + email checks. Exactly which checks and how to determine appropriate + whitelist entries have to be based on local conditions and + requirements. + +G.2. Policy for SPF Fail + + SPF "fail" results can be used to reject messages during the SMTP + transaction based on either "MAIL FROM" or "HELO" identity results. + This reduces resource requirements for various content-filtering + methods and conserves bandwidth since rejection can be done before + the SMTP content is transferred. It also gives immediate feedback to + the sender, who might then be able to resolve the issue. Due to some + of the issues described in this section (Appendix G), SPF-based + rejection does present some risk of rejecting legitimate email when + rejecting email based on "MAIL FROM" results. + + SPF "fail" results can alternately be used as one input into a larger + set of evaluations that might, based on a combination of SPF "fail" + results with other evaluation techniques, result in the email being + marked negatively in some way (this might be via delivery to a + special spam folder, modifying subject lines, or other locally + determined means). Developing the details of such an approach has to + be based on local conditions and requirements. Using SPF results in + this way does not have the advantages of resource conservation and + immediate feedback to the sender associated with SMTP rejection, but + could produce fewer undesirable rejections in a well-designed system. + Such an approach might result in email that was not authorized by the + sending ADMD being unknowingly delivered to end users. + + Either general approach can be used, as they both leave a clear + disposition of emails; either they are delivered in some manner or + the sender is notified of the failure. Other dispositions such as + "dropping" or deleting email after acceptance are inappropriate + because they leave uncertainty and reduce the overall reliability and + utility of email across the Internet. + + + + + + +Kitterman Standards Track [Page 62] + +RFC 7208 Sender Policy Framework (SPF) April 2014 + + +G.3. Policy for SPF Permerror + + The "permerror" result (see Section 2.6.7) indicates that the SPF + processing module at the receiver determined that the retrieved SPF + policy record could not be interpreted. This gives no true + indication about the authorized use of the data found in the + envelope. + + As with all results, implementers have a choice to make regarding + what to do with a message that yields this result. SMTP allows only + a few basic options. + + Rejection of the message is an option, in that it is the one thing a + receiver can do to draw attention to the difficulty encountered while + protecting itself from messages that do not have a definite SPF + result of some kind. However, if the SPF implementation is defective + and returns spurious "permerror" results, only the sender is actively + notified of the defect (in the form of rejected mail), and not the + receiver making use of SPF. + + The less intrusive handling choice is to deliver the message, perhaps + with some kind of annotation of the difficulty encountered and/or + logging of a similar nature. However, this will not be desirable to + SPF verifier operators that wish to implement SPF checking as + strictly as possible, nor is this sort of passive reporting of + problems typically effective. + + There is of course the option of placing this choice in the hands of + the SPF verifier operator rather than the implementer since this kind + of choice is often a matter of local policy rather than a condition + with a universal solution, but this adds one more piece of complexity + to an already non-trivial environment. + + Both implementers and SPF verifier operators need to be cautious of + all choices and outcomes when handling SPF results. + +G.4. Policy for SPF Temperror + + The "temperror" result (see Section 2.6.6) indicates that the SPF + processing module at the receiver could not retrieve an SPF policy + record due to a (probably) transient condition. This gives no true + indication about the authorized use of the data found in the + envelope. + + As with all results, implementers have a choice to make regarding + what to do with a message that yields this result. SMTP allows only + a few basic options. + + + + +Kitterman Standards Track [Page 63] + +RFC 7208 Sender Policy Framework (SPF) April 2014 + + + Deferring the message is an option, in that it is the one thing a + receiver can do to draw attention to the difficulty encountered while + protecting itself from messages that do not have a definite SPF + result of some kind. However, if the SPF implementation is defective + and returns spurious "temperror" results, only the sender is actively + notified of the defect (in the form of mail rejected after it times + out of the sending queue), and not the receiver making use of SPF. + + Because of long queue lifetimes, it is possible that mail will be + repeatedly deferred for several days, and so any awareness that the + sender may have regarding a problem could be quite delayed. If + "temperrors" persist for multiple delivery attempts, it might be + preferable to treat the error as permanent and reduce the amount of + time the message is in transit. + + The less intrusive handling choice is to deliver the message, perhaps + with some kind of annotation of the difficulty encountered and/or + logging of a similar nature. However, this will not be desirable to + SPF verifier operators that wish to implement SPF checking as + strictly as possible, nor is this sort of passive reporting of + problems typically effective. + + There is of course the option of placing this choice in the hands of + the SPF verifier operator rather than the implementer since this kind + of choice is often a matter of local policy rather than a condition + with a universal solution, but this adds one more piece of complexity + to an already non-trivial environment. + + Both implementers and SPF verifier operators need to be cautious of + all choices and outcomes when handling SPF results. + +Author's Address + + Scott Kitterman + Kitterman Technical Services + 3611 Scheel Dr. + Ellicott City, MD 21042 + United States of America + + EMail: scott@kitterman.com + + + + + + + + + + + +Kitterman Standards Track [Page 64] + |