Skip to main content

SPF

You are probably visiting this page because a message was blocked by an instance of the Halon MTA with an SPF error along the lines of

1.2.3.4 does not pass SPF checks for example.com

Short answer

The message was blocked because of a misconfiguration in the sender's e-mail system. The example error above could be explained as; the sending server 1.2.3.4 was not allowed to send e-mail as @example.com according to example.com's SPF settings.

How you should deal with this depends on who you are;

  • If you are the sender of the original e-mail (example.com in the example above) you should contact your administrator (organization's IT department), because it's most likely your fault
  • If you were the intended recipient of the original e-mail or a user of the anti-spam system that blocked it, you don't need to do anything at all; it's most likely not your fault

Long answer

SPF (Sender Policy Framework) is an email validation system designed to prevent email spam by detecting email spoofing, a common vulnerability, by verifying sender IP addresses.

In other words, the sender (example.com in the example above) specifies in his domain's DNS server which IP addresses that the company uses for sending e-mail. If someone tries to send (spoof) an e-mail from an IP address not listed in the DNS (1.2.3.4 in the example above) the message should be rejected.

As a consequence, the owner of an anti-spam system that receives an e-mail that violates SPF shouldn't do anything to resolve this; it's the sender's responsibility.

The SPF record for a domain can be viewed by looking at its text (TXT) records, for example by running

host -t txt example.com

in Unix-like operating systems such as Mac OS X, or in Microsoft Windows.

nslookup
set type=txt
example.com

The SPF looks good, but messages are still rejected

There are a few common mistakes in the anti-spam system configuration that could cause SPF errors, even if the sender is not to blame.

Trusted forwarders

The most common reason is message relaying, or forwarding. If you notice SPF errors with internal IP addresses, or servers that you are the operator of, you should probably add those to the SPF module's "trusted forwarder" list.

Faulty DNS servers

If the anti-spam system uses a DNS server that responds with faulty or truncated responses, messages could be erroneously blocked. One easy way to detect truncated responses it to make a DNS lookup of a domain that has many IP addresses, such as google.com, and see how many that are returned. Some Windows DNS servers are frequently configured to return at most something like four DNS records. In other words; if google.com only returns four IP addresses, your DNS if faulty. If so, change DNS server or fix it.