Sender Policy Framework (SPF)

 Published on 16 Feb 2025 .  Filed in Projects .  487 words

A Sender Policy Framework (SPF) is a method to verify that the mail server sending the email is authorized to send mail on behalf of the domain.

The receiving SMTP mail server queries the DNS server of the domain found in the header of the received email — Return-Path, for a TXT record. This record contains the IP addresses of the authorized mail servers defined by the domain owner to send mail on behalf of the domain in question.

This record also indicates the receiving SMTP server to allow, reject or mark as spam if the SPF check fails, in other words if the IP address of the sending SMTP server does not match the IP address retrieved from the TXT record.

Create an SPF Record in DNS

Let's create a new TXT record in DNS to tell the receiving SMTP server which IP addresses are allowed to send mail for your domain:

  TXT  @   v=spf1 mx ~all
  • TXT: Indicates this is a TXT record.
  • @: Represents the domain.
  • v=spf1 Indicates an SPF record and the SPF record version is SPF1.
  • mx: Allow all hosts listed in the MX records to send emails for your domain and all other hosts are disallowed.
  • ~all: Indicates that emails from your domain should only come from hosts specified in the SPF record. Emails that are from other hosts will be flagged as untrustworthy. Possible alternatives are +all, -all, ?all.(E.g: -all means emails sent from not-allowed hosts should be rejected, never to land in the recipient’s inbox or spam folder)

To check if your SPF record is propagated on the Internet, query a DNS server for your domain's TXT record:

  dig your-domain.com txt

SPF Check for Incoming Emails

We have created a TXT record in DNS to inform the other SMTP server that receiving emails our authorized SMTP servers. Now we need to tell our Postfix server to do this check before accepting mail.

Install required SPF package:

  sudo apt install postfix-policyd-spf-python

Then edit the Postfix master process configuration file:

sudo nano /etc/postfix/master.cf

Add the following lines at the end of the file, which tells Postfix to start the SPF policy daemon when it’s starting itself:

policyd-spf  unix  -       n       n       -       0       spawn
    user=policyd-spf argv=/usr/bin/policyd-spf

Save and close the file. Next, edit Postfix main configuration file.

  sudo nano /etc/postfix/main.cf

Append the following lines at the end of the file. The first line specifies the Postfix policy agent timeout setting. The following lines will impose a restriction on incoming emails by checking SPF record.

policyd-spf_time_limit = 3600
smtpd_recipient_restrictions =
   reject_unauth_destination,
   check_policy_service unix:private/quota-status,
   check_policy_service unix:private/policyd-spf

Save and close the file. Then restart Postfix.

  sudo systemctl restart postfix

Next time, when you receive an email from a domain that has an SPF record, you can see the SPF check results in the raw email header. The following header indicates the sender sent the email from an authorized host.

Received-SPF: Pass (sender SPF authorized).