docker
/
docker-mailserver
mirror of https://github.com/tomav/docker-mailserver.git
1
0
Fork 0
Code Issues Releases Wiki Activity
Page: Configure SPF
Pages
Configure AWS SES Configure Accounts Configure Aliases Configure DKIM Configure DMARC Configure Fail2ban Configure LDAP Configure POP3 Configure Relay Hosts Configure SPF Configure SSL Configure Sieve filters Configure autodiscover Debugging FAQ and Tips Forward Only mailserver with LDAP authentication Full text search Home IPv6 Installation Examples Introduction List of optional config files & directories Override Default Dovecot Configuration Override Default Postfix Configuration Retrieve emails from a remote mail server (using builtin fetchmail) Understanding the ports Update and cleanup Using in Kubernetes setup.sh
9 Configure SPF
Jean-Denis Vauguet edited this page 2020-06-01 02:54:02 +02:00
Table of Contents

From Wikipedia:

Sender Policy Framework (SPF) is a simple email-validation system designed to detect email spoofing by providing a mechanism to allow receiving mail exchangers to check that incoming mail from a domain comes from a host authorized by that domain's administrators. The list of authorized sending hosts for a domain is published in the Domain Name System (DNS) records for that domain in the form of a specially formatted TXT record. Email spam and phishing often use forged "from" addresses, so publishing and checking SPF records can be considered anti-spam techniques.

For a more technical review: https://github.com/internetstandards/toolbox-wiki/blob/master/SPF-how-to.md

Add a SPF record

To add a SPF record in your DNS, insert the following line in your DNS zone:

; MX record must be declared for SPF to work
domain.com. IN  MX 1 mail.domain.com.

; SPF record
domain.com. IN TXT "v=spf1 mx ~all"

This enables the Softfail mode for SPF. You could first add this SPF record with a very low TTL.
SoftFail is a good setting for getting started and testing, as it lets all email through, with spams tagged as such in the mailbox.

After verification, you might want to change your SPF record to v=spf1 mx -all so as to enforce the HardFail policy. See http://www.open-spf.org/SPF_Record_Syntax/ for more details about SPF policies.

In any case, increment the SPF record's TTL to its final value.

Backup MX, Secondary MX

For whitelisting a IP-Address from the SPF test, you can create a config file (see policyd-spf.conf) and mount that file into /etc/postfix-policyd-spf-python/policyd-spf.conf.

Example:

Create and edit a policyd-spf.conf file here /<your Docker-Mailserver dir>/config/postfix-policyd-spf.conf:

debugLevel = 1 
#0(only errors)-4(complete data received)

skip_addresses = 127.0.0.0/8,::ffff:127.0.0.0/104,::1

# Preferably use IP-Addresses for whitelist lookups:
Whitelist = 192.168.0.0/31,192.168.1.0/30
# Domain_Whitelist = mx1.mybackupmx.com,mx2.mybackupmx.com

Then add this line to docker-compose.yml below the volumes: section

- ./config/postfix-policyd-spf.conf:/etc/postfix-policyd-spf-python/policyd-spf.conf

© Docker Mailserver Organization

This project is licensed under the MIT license.