docker-mailserver/docs/content/config/best-practices/spf.md

From [Wikipedia](https://en.wikipedia.org/wiki/Sender_Policy_Framework):

> Sender Policy Framework (SPF) is a simple email-validation system designed to detect email spoofing by providing a mechanism to allow receiving mail exchangers to check that incoming mail from a domain comes from a host authorized by that domain's administrators. The list of authorized sending hosts for a domain is published in the Domain Name System (DNS) records for that domain in the form of a specially formatted TXT record. Email spam and phishing often use forged "from" addresses, so publishing and checking SPF records can be considered anti-spam techniques.

For a more technical review: https://github.com/internetstandards/toolbox-wiki/blob/master/SPF-how-to.md

## Add a SPF record

To add a SPF record in your DNS, insert the following line in your DNS zone:

    ; MX record must be declared for SPF to work
    domain.com. IN  MX 1 mail.domain.com.

    ; SPF record
    domain.com. IN TXT "v=spf1 mx ~all" 

This enables the _Softfail_ mode for SPF. You could first add this SPF record with a very low TTL.  
_SoftFail_ is a good setting for getting started and testing, as it lets all email through, with spams tagged as such in the mailbox.

After verification, you _might_ want to change your SPF record to `v=spf1 mx -all` so as to enforce the _HardFail_ policy. See http://www.open-spf.org/SPF_Record_Syntax/ for more details about SPF policies.

In any case, increment the SPF record's TTL to its final value.

## Backup MX, Secondary MX

For whitelisting a IP-Address from the SPF test, you can create a config file (see [policyd-spf.conf](http://www.linuxcertif.com/man/5/policyd-spf.conf/)) and mount that file into `/etc/postfix-policyd-spf-python/policyd-spf.conf`.

**Example:**

Create and edit a policyd-spf.conf file here `/<your Docker-Mailserver dir>/config/postfix-policyd-spf.conf`:
```shell
debugLevel = 1 
#0(only errors)-4(complete data received)

skip_addresses = 127.0.0.0/8,::ffff:127.0.0.0/104,::1

# Preferably use IP-Addresses for whitelist lookups:
Whitelist = 192.168.0.0/31,192.168.1.0/30
# Domain_Whitelist = mx1.mybackupmx.com,mx2.mybackupmx.com

```
Then add this line to `docker-compose.yml` below the `volumes:` section

```yaml
- ./config/postfix-policyd-spf.conf:/etc/postfix-policyd-spf-python/policyd-spf.conf
```
Updated Configure SPF (markdown) 2016-04-24 17:55:39 +02:00			`From [Wikipedia](https://en.wikipedia.org/wiki/Sender_Policy_Framework):`
Updated Configure SPF (markdown) 2016-04-24 17:46:45 +02:00
Created Configure SPF (markdown) 2016-04-24 17:46:33 +02:00			> Sender Policy Framework (SPF) is a simple email-validation system designed to detect email spoofing by providing a mechanism to allow receiving mail exchangers to check that incoming mail from a domain comes from a host authorized by that domain's administrators. The list of authorized sending hosts for a domain is published in the Domain Name System (DNS) records for that domain in the form of a specially formatted TXT record. Email spam and phishing often use forged "from" addresses, so publishing and checking SPF records can be considered anti-spam techniques.

Updated Configure SPF (markdown) 2020-06-01 02:53:42 +02:00			`For a more technical review: https://github.com/internetstandards/toolbox-wiki/blob/master/SPF-how-to.md`

Updated Configure SPF (markdown) 2020-06-01 02:54:02 +02:00			`## Add a SPF record`

Created Configure SPF (markdown) 2016-04-24 17:46:33 +02:00			`To add a SPF record in your DNS, insert the following line in your DNS zone:`

Updated Configure SPF (markdown) 2020-06-01 02:31:12 +02:00			`; MX record must be declared for SPF to work`
Created Configure SPF (markdown) 2016-04-24 17:46:33 +02:00			`domain.com. IN MX 1 mail.domain.com.`

Updated Configure SPF (markdown) 2020-06-01 02:31:12 +02:00			`; SPF record`
Created Configure SPF (markdown) 2016-04-24 17:46:33 +02:00			`domain.com. IN TXT "v=spf1 mx ~all"`

Updated Configure SPF (markdown) 2020-06-01 02:31:12 +02:00			`This enables the _Softfail_ mode for SPF. You could first add this SPF record with a very low TTL.`
			`_SoftFail_ is a good setting for getting started and testing, as it lets all email through, with spams tagged as such in the mailbox.`
Updated Configure SPF (markdown) 2019-08-23 20:31:33 +02:00
Updated Configure SPF (markdown) 2020-06-01 02:42:55 +02:00			After verification, you _might_ want to change your SPF record to `v=spf1 mx -all` so as to enforce the _HardFail_ policy. See http://www.open-spf.org/SPF_Record_Syntax/ for more details about SPF policies.
Updated Configure SPF (markdown) 2019-08-23 20:31:33 +02:00
Updated Configure SPF (markdown) 2020-06-01 02:31:12 +02:00			`In any case, increment the SPF record's TTL to its final value.`
Updated Configure SPF (markdown) 2018-02-09 22:16:48 +01:00
			`## Backup MX, Secondary MX`

Updated Configure SPF (markdown) 2020-06-01 02:31:12 +02:00			For whitelisting a IP-Address from the SPF test, you can create a config file (see [policyd-spf.conf](http://www.linuxcertif.com/man/5/policyd-spf.conf/)) and mount that file into `/etc/postfix-policyd-spf-python/policyd-spf.conf`.
Updated Configure SPF (markdown) 2018-02-09 22:16:48 +01:00
			`Example:`

			Create and edit a policyd-spf.conf file here `/<your Docker-Mailserver dir>/config/postfix-policyd-spf.conf`:
			```shell
			`debugLevel = 1`
			`#0(only errors)-4(complete data received)`

			`skip_addresses = 127.0.0.0/8,::ffff:127.0.0.0/104,::1`

			`# Preferably use IP-Addresses for whitelist lookups:`
			`Whitelist = 192.168.0.0/31,192.168.1.0/30`
			`# Domain_Whitelist = mx1.mybackupmx.com,mx2.mybackupmx.com`

			```
			Then add this line to `docker-compose.yml` below the `volumes:` section

			```yaml
			`- ./config/postfix-policyd-spf.conf:/etc/postfix-policyd-spf-python/policyd-spf.conf`
			```