You got rights to send that? New protocol is watching

"Sender Permitted From," or SPF, is a new protocol that works in conjunction with existing e-mail protocols to insure that a person sending an e-mail on behalf of a given address has the right to do so.

SPF is basically a reverse MX record for Domain Name System (DNS). Normally, a domain publishes an MX record to tell the world what machines can receive e-mail for a given domain. SPF lets the same domain publish a record to tell the world what machines send mail from the domain. Computers that receive e-mail can then check incoming mail (during the POP3 conversation) against the SPF record to make sure the mail is indeed coming from the domain it's allegedly written from.

Using SPF can prevent messages from being sent illegally on behalf of another domain, and may in turn reduce the amount of e-mail with forged or misleading headers. Most spam is sent in this fashion, so SPF can be part of a multi-pronged attack against spam, including DNS blacklisting and Bayesian filtering.

By default, e-mail has a massive security hole: anyone can send e-mail claiming to be anyone. A user at isp.org could send e-mails claiming to be from rootbox.net. SPF is intended to close that hole over with a minimum of problems. Although SPF does break one piece of standard e-mail functionality—direct forwarding. I'll get into more detail on this in tomorrow's article.

SPF does not verify individual sender usernames. In other words, it does not perform a lookup to verify that the sender of the e-mail does in fact have a valid e-mail account at the originating domain. It only verifies that the e-mail being sent does in fact come from the domain in question.

SPF requires two things:
1. The sending domain must publish a reverse MX record.
2. The receiving domain must perform the reverse MX lookup on in-coming mail.

Participating in SPF is free and voluntary, and once installed it does not need to be maintained except in the sense that one's event sink filter or other SPF lookup system might need bug fixes.

The reverse MX record, once published, does not need to be changed. Usually any domain that is doing one will do the other. Implementing the first in a system running Windows 2000/2003 Server is easy enough, but having Microsoft Exchange perform an SPF lookup is not something Exchange can perform natively yet. But even if you can't implement SPF checks on your incoming e-mail, publishing an SPF record for your domain will prevent others from using your domain name illegitimately.

Part two. How to create the reverse MX record and how to add SPF support to Exchange. Click here

Serdar Yegulalp is the editor of the Windows 2000 Power Users Newsletter. Check out site for his latest advice and musings on the world of Windows network administrators; please share your thoughts as well!

Rate this Tip To rate tips, you must be a member of SearchExchange.com. Register now to start rating these tips. Log in if you are already a member. Submit a Tip Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Exchange Security Tips Use the OWA Admin tool to 'segment' Outlook Web Access 2003 features Why are .PST files a security threat to Exchange Server mailboxes? OWA won't load after applying Exchange 2007 SP1 security patch Minimize remote and mobile Outlook Web Access (OWA) security risks Grant or deny permissions to access a user's Exchange 2007 mailbox Create a global Safe Senders List in Exchange 2007 to filter spam Migrating antispam settings from Exchange 2003 to Exchange 2007 Deploying ISA Server as a firewall for Exchange Server mobile devices How to customize OWA authentication logon in Exchange Server 2003 Exchange 2007 out-of-office (OOF) feature adds usability and security Antispam Software and Spam Filtering Secure Edge Transport servers using the Security Configuration Wizard Create a global Safe Senders List in Exchange 2007 to filter spam Migrating antispam settings from Exchange 2003 to Exchange 2007 The six-layered secret of effective Exchange Server email filtering Top 10 Exchange, Microsoft Outlook and OWA email security tips of 2007 Troubleshoot Microsoft Outlook email delivery problems Microsoft Outlook and Exchange Server 2003 Email Security Guide Top 5 Exchange Intelligent Message Filter add-on tools Locate 'missing' SPF record on an external DNS domain Native Exchange Server 2003 antispam solutions Antispam Software and Spam Filtering Research Email Protocols How Exchange Server performs Active Directory LDAP queries Enabling protocol logging for Exchange Server How HTTP verbs can 'hang' Outlook Web Access Establishing a direct Microsoft Outlook connection using RPC over HTTP Should I be concerned with a large number of user HTTP logons? Receiving MAPI error after uninstalling Outlook on SBS and Exchange Why HTTP can hurt Exchange ActiveSync attachments Exchange Server mailbox-level MAPI backups A primer on messaging standards: NNTP, X.400 and LDAP 8004010F MAPI not found error with Exchange 2003 RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary greylist  (SearchExchange.com) hash buster  (SearchExchange.com) image spam  (SearchExchange.com) KnujOn  (SearchExchange.com) Sender ID  (SearchExchange.com) spam confidence level  (SearchExchange.com) spamblock  (SearchExchange.com) spim  (SearchExchange.com) tarpitting  (SearchExchange.com) teergrube  (SearchExchange.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.