Yesterday, I discussed the Sender Permitted From (SPF) protocol that works in conjunction with existing e-mail
protocols to ensure that a person sending an e-mail on behalf of a given address has the right to do so.
Remember that SPF does not verify individual sender usernames; it only verifies that the e-mail being sent does in fact come from the domain in question. SPF has two requirements: the sending domain must publish a reverse MX record, and the receiving domain must perform the reverse MX lookup on in-coming mail.
This article will look at how to create the reverse MX record and how to add SPF support to Exchange.
You can create the reverse MX record by hand or through a wizard provided by the creators of the SPF RFC http://spf.pobox.com/wizard.html. The format of a typical reverse MX record is simple enough:
<domain-name>. IN TXT "v=spf1 a mx ptr -all"
In this example, <domain-name> is the domain name to publish a reverse MX record for. Note the trailing dot after the domain name; if you published the domain name foo.com, it would look like this:
foo.com. IN TXT "v=spr1 a mx ptr -all"
To add the appropriate reverse MX record to a server running Microsoft's DNS, follow these steps:
1. Open the DNS snap-in via Microsoft Management Console
2. Right-click the domain that you want to add an SPF record for.
3. Choose Other New Records.
4. Choose a record type of TXT.
5. Enter the SPF record to specify valid mail senders.
For other DNS servers, such as BIND or the free DNS server BIND-PE, you need to add the record manually.
Adding SPF support to Exchange is more difficult, since Exchange doesn't natively support this sort of lookup. It is possible to do this through an event sink, however, using the OnArrival event and an external SPF package. One such package, which is free, is http://www.wayforward.net/spf/, and is written in Python. The Win32 implementation for Python would allow this script to be implemented in the context of a WSH object, or from a command line (slower, but probably easier to debug). Another implementation possibility is to use a compiled object using one of the C libraries that supports SPF http://www.libspf.org/, and create a .DLL that does the trapping -- harder to program but ostensibly much faster.
One problem with SPF is that it breaks direct forwarding (where the envelope sender is preserved). Most of the time when a message is forwarded in Exchange, however, the original message is sent as an attachment, with the carrying message bearing the identity of the re-mailer, so this is usually not a problem. The SPF FAQ http://spf.pobox.com/faq.html contains details on how forwarding breaks in an SMTP/PIP environment, and how it can be preserved.
SPF's adoption has started very swiftly. America Online, one of the largest ISPs and also one of the biggest refuges for hit-and-run spammers, implemented SPF at the beginning of January 2004. Microsoft is also looking into implementing SPF, so a native Exchange solution may become available before long. Other folks who have shown interest in supporting SPF in their products include Qualcomm (makers of Eudora), the SpamAssassin spam filter, ActiveState (makers of PureMessage), MailArmory, and Declude JunkMail.
Serdar Yegulalp is the editor of the Windows 2000 Power Users Newsletter.