SPF for Gentoo.org
SPF for Gentoo.org
Sender Policy Framework (SPF) is a way to fight return-path address forgery
and makes it easier to identify spoofed addresses. It is NOT a spam fighting
tool in and of itself. The technology is merely a way to stop one loophole
spammers use: source address spoofing.
SPF uses DNS to give mail administrators a way to tell other mail
administrators what MTAs are allowed to send mail for their particular domain.
Essentially, SPF allows us to say, "hey, here's the mail servers that send
mail for gentoo.org"
Other mail administrators can then use that information to make their own
decisions about what to do with mail that does or does not come from one of
For Gentoo, our SPF record is currently:
Code Listing 1.1: gentoo.org SPF record
v=spf1 mx ptr ?all
Which breaks down as:
- use the first version of SPF
- anything that is listed as an MX record for gentoo.org is OK ptr: any host that ends in gentoo.org is OK. (requires a PTR record to be in place)
- if you receive an email from an MTA not on this list, please treat it neutrally. (i.e. do not make decisions based solely on this fact)
The ?all is intended to be a transitional phase, with the ultimate goal being
to move to ~all or even -all, which are more definitive.
Some people have objected to the fact that SpamAssassin adds ~1 to the overall
spam score for ?all records. SPF is a tool and, like any other tool,
people can do smart things with it and they can do stupid things with it. This
is not saying the SA developers are stupid -- merely that they've chosen to use
the tool a certain way that conflicts with what the SPF standard calls for. As
you can tell from the SA test name (SPF_NEUTRAL), SPF calls for records using
?all to treat MTAs sending mail on behalf of that domain neutrally. SPF
should not be faulted if SA chooses to go another route.
SA provides users with ways of overriding or ignoring this score on a per-user
basis if they wish.
Finally, it is possible to send a mail From: a gentoo.org email address using
a non gentoo.org SMTP server and not run afoul of SA's SPF_NEUTRAL scoring.
You can see an example here:
Code Listing 1.2: Sending an email From: a gentoo.org address using a gmail account
Received: from localhost (localhost [127.0.0.1])
by mail.domain.com (Postfix) with ESMTP id 7BE6EE84021
for <firstname.lastname@example.org>; Wed, 8 Nov 2006 14:48:57 +0000 (UTC)
X-Spam-Status: No, score=-2.546 required=5.5 tests=[AWL=0.054,
Received: from mail.domain.com ([127.0.0.1])
by localhost (mail.domain.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id x00PknmR5qfc for <email@example.com>;
Wed, 8 Nov 2006 14:48:11 +0000 (UTC)
Received: from nf-out-0910.google.com (nf-out-0910.google.com [126.96.36.199])
by mail.domain.com (Postfix) with ESMTP id 867C6E84022
for <firstname.lastname@example.org>; Wed, 8 Nov 2006 14:48:06 +0000 (UTC)
Received: by nf-out-0910.google.com with SMTP id l23so207071nfc
for <email@example.com>; Wed, 08 Nov 2006 06:48:05 -0800 (PST)
Received: by 10.48.254.10 with SMTP id b10mr2288936nfi.1162997285044;
Wed, 08 Nov 2006 06:48:05 -0800 (PST)
Received: by 10.49.39.10 with HTTP; Wed, 8 Nov 2006 06:48:04 -0800 (PST)
Date: Wed, 8 Nov 2006 08:48:04 -0600
Subject: check spam scores
which shows a mythical developer sending an email From: firstname.lastname@example.org
using his gmail account. Note that the SA score is actually reduced due to SPF
in this particular case.
Additionally, as has been the case for months, we allow developers to relay
(via aSMTP) their outbound gentoo.org mail through dev.gentoo.org if they so
choose, which also works around the specific issue with SA.
Again, SPF is a tool. Nothing more, nothing less. All we do is provide
information to other mail administrators. How they decide to use it is up to