Tuesday, August 25, 2009

Sender Policy Framework (SPF)

SkyHi @ Tuesday, August 25, 2009
Sender Policy Framework (SPF) is an e-mail authentication system designed to prevent E-mail source address spoofing common in e-mail spam that results in backscatter. SPF allows domain owners to specify which Internet hosts are allowed to send e-mail claiming to originate from that domain by creating a specific DNS TXT record. Mail exchangers that use SPF check the sender's identity against the DNS record's contents and reject the message if it does not comply.

Principles of operation
Further information: Sender Rewriting Scheme (SRS)

Normal SMTP allows any computer to send an e-mail claiming to be from anyone. Thus, it is easy for spammers to send e-mail from forged addresses. This makes it difficult to trace back to where the spam truly comes from, and easy for spammers to hide their true identity in order to avoid responsibility. Many believe that the ability for anyone to forge sender addresses (also known as Return-Paths) is a security flaw in modern SMTP, caused by an undesirable side-effect of the deprecation of source routes.

SPF allows the owner of an Internet domain to use special format of DNS records ("SPF", type 99) to specify which machines are authorized to transmit e-mail for that domain. For example, the owner of the example.org domain can designate which machines are authorized to send e-mail whose sender e-mail address ends with "@example.org". Receivers checking SPF can reject messages from unauthorized machines before receiving the body of the message. Thus, principles of operations are quite similar to those of DNSBL, except that SPF leverages the authority delegation scheme of the real Domain Name System. Early implementations used TXT records for quick deployment before the new type was available in many server programs. Use of TXT records for SPF as a transitional mechanism, although still common in 2009, is deprecated.

The sender address is transmitted at the beginning of the SMTP dialog. If the server rejects the sender, the unauthorized client should receive a rejection message, and if that client was a relaying MTA, a bounce message to the original sending address may be generated. If the server accepts the sender, and subsequently also accepts the recipient(s) and the body of the message, it should insert a Return-Path header in the message's body in order to save the sender address. While the address in the Return-Path often matches other originator addresses in the mail header like "From:" or "Sender:" this is not necessarily the case, and SPF does not prevent forgeries of these other addresses.

Spammers can send e-mail with an SPF PASS result if they have an account in a domain with a sender policy, or abuse a compromised system in this domain. However, doing so makes the spammer easier to trace and prosecute.

The main benefit of SPF is to people whose e-mail addresses are forged in the Return-Paths. They receive a large mass of unsolicited error messages and other auto-replies, making it difficult to use e-mail normally. If such people use SPF to specify their legitimate sending IPs with a FAIL result for all other IPs, receivers checking SPF can reject forgeries, thus reducing or eliminating the amount of backscatter.

SPF has potential advantages beyond helping identify unwanted e-mail. In particular, if a sender provides SPF information, then receivers can use SPF PASS results in combination with a white list to identify known reliable senders. Scenarios like compromised systems and shared sending mailers limit this use.

[edit] Reasons to implement

By implementing an SPF record, spammers and phishers are less likely to choose your domain as their ‘cover’ domain, because emails they send spoofing your domain are more likely to be caught in spam filters. In the event that a spammer does choose to use your domain, those emails are less likely to be delivered to domains checking your SPF record, and these rejections may reduce the amount of spam delivered to inboxes. [1]

Now, because

* your domain is less likely to be used by a spammer,
* if your domain is used by a spammer, the emails are far more likely to get blocked, and
* you help lessen the amount of overall spam on the internet,

the rationale to implement SPF records extends to:

* your domain is less likely to be blacklisted by bayesian spam filters, and
* your genuine email is more likely to get through spam filters.

[edit] FAIL and forwarding

SPF does not allow plain message forwarding. When a domain publishes an SPF FAIL policy, then legitimate mails sent to receivers forwarding their mail to third parties can be rejected and bounced if

1. the forwarder does not rewrite the Return-Path, unlike mailing lists,
2. the next hop does not white list the forwarder, and
3. this hop checks SPF.

This is a necessary and obvious feature of SPF – checks behind the "border" MTA (MX) of the receiver cannot work directly.

Publishers of SPF FAIL policies must accept this potential problem. They should test (e.g., with a SOFTFAIL policy) until they are satisfied with the results. See below for a list of alternatives to plain message forwarding.

[edit] HELO tests

For an empty Return-Path as used in error messages and other auto-replies, an SPF check of the HELO-identity is mandatory.

With a bogus HELO identity the result NONE would not help, but for valid host names SPF also protects the HELO identity. This SPF feature was always supported as an option for receivers, and later SPF drafts including the final specification recommend to check the HELO always.

This allows to white list sending mailers based on a HELO PASS, or to reject all mails after a HELO FAIL. It can also be used in reputation systems (any white or black list is a simple case of a reputation system).

[edit] Implementation

Compliance with SPF consists of three loosely related tasks:

Publish a policy
Domains identify the machines authorized to send e-mail on their behalf. Domains do this by adding additional records to their existing DNS information: every domain name that has an A record or MX record deserves an SPF record specifying the policy if it is used either in an email address or as HELO/EHLO argument.
Check and use SPF information
Receivers use ordinary DNS queries, which are typically cached to enhance performance. Receivers then interpret the SPF information as specified and act upon the result.
Revise mail forwarding
Plain mail forwarding is not allowed by SPF. The alternatives are

* remailing, i.e. replacing the original sender with one belonging to the local domain,
* refusing, i.e. answering 551 User not local; please try ,
* whitelisting on the target server, so that it will not refuse a forwarded message, and
* Sender Rewriting Scheme, a more complicated mechanism that handles routing non-delivery notifications to the original sender.

Thus, the key issue in SPF is the specification for the new DNS information that domains set and receivers use. The records are laid out like this (in typical DNS-syntax):

example.org. IN SPF "v=spf1 a mx -all"

"v=" defines the version of SPF used. The following words provide mechanisms to use to determine if a domain is eligible to send mail. The "a" and "mx" specify the systems permitted to send messages for the given domain. The "-all" at the end specifies that, if the previous mechanisms did not match, the message should be rejected.

[edit] Mechanisms

Eight mechanisms are defined:
ALL Matches always, used for a default result like -all for all IPs not matched by prior mechanisms.
A If the domain name has an A (or AAAA for IPv6) record corresponding to the sender's address, it will match. (That is, the mail comes directly from the domain name.)
IP4 If the sender is in a given IPv4 range, match.
IP6 If the sender is in a given IPv6 range, match.
MX If the domain name has an MX record resolving to the sender's address, it will match. (That is, the mail comes from one of the domain's mail servers.)
PTR If the Forward Confirmed reverse DNS domain of the sending IP ending in the domain name.
EXISTS If the given domain resolves, match (no matter the address it resolves to). This is rarely used. Along with the SPF macro language it offers more complex matches like DNSBL-queries.
INCLUDE If the included (a misnomer) policy passes the test this mechanism matches. This is typically used to include policies of more than one ISP.

[edit] Qualifiers

Each mechanism can be combined with one of four qualifiers:

* + for a PASS result. This can be omitted; e.g., +mx is the same as mx.
* ? for a NEUTRAL result interpreted like NONE (no policy).
* ~ for SOFTFAIL, a debugging aid between NEUTRAL and FAIL.
* - for FAIL, the mail should be rejected (see below).

[edit] Modifiers

The modifiers allow for future extensions to the framework. To date only the two modifiers defined in the RFC 4408 have been widely deployed:

exp=some.example.com gives the name of a domain with a DNS TXT record (interpreted using SPF's macro language) to get an explanation for FAIL results – typically a URL which is added to the SMTP error code. This feature is rarely used.

redirect=some.example.com can be used instead of the ALL-mechanism to link to the policy record of another domain. This modifier is easier to understand than the somewhat similar INCLUDE-mechanism.

[edit] Error handling

As soon as SPF implementations detect syntax errors in a sender policy they must abort the evaluation with result PERMERROR. Skipping erroneous mechanisms cannot work as expected, therefore include:bad.example and redirect=bad.example also cause a PERMERROR.

Another safety guard is the maximum of ten mechanisms querying DNS, i.e. any mechanism except from IP4, IP6, and ALL. Implementations can abort the evaluation with result SOFTERROR when it takes too long or a DNS query times out, but they must return PERMERROR if the policy directly or indirectly needs more than ten queries for mechanisms. Any redirect= also counts towards this processing limit.

A typical SPF HELO policy v=spf1 a -all may execute up to three DNS queries: (1) SPF, (2) TXT (depreciated, but for backwards compatability during the transition), and (3) A or AAAA. This last query counts as the first mechanism towards the limit (10). In this example it is also the last, because ALL needs no DNS lookup.

[edit] Caveats

SPF avoids abuses of domain names; it does not validate that a given e-mail actually comes from the claimed user. Users within a given domain can forge each others' address ("cross-user forgery" or even "cross-domain" forgery where outbound mail servers are shared), if permitted by the signature process.

[edit] SPF FAIL rejection

SPF FAIL policies can be an effective but dangerous tool. Some publishers of SPF policies try to avoid the dangers by using SOFTFAIL (designed for limited testing periods) instead of FAIL. But SOFTFAIL can be even more dangerous than FAIL with receivers rejecting FAIL and accepting SOFTFAIL tagged as potential junk.

A reject in a forwarding scenario is a clean decision. The forwarder will send an error message to the address in the Return-Path. Typically the error message (bounce) contains an explanation of the SMTP error and the failing (forwarded to) address. The original sender can then send his mail again directly to this address bypassing the forwarder, a crude emulation of the normal SMTP error code 551 user not local.

However, an accepted SOFTFAIL tagged as potential junk could be deleted by the final recipient. This is a user who has arranged his forwarding in a way that cannot work with SPF; this user could also be careless with checking his potential junk and simply delete it.

The same line of argument also suggests that receivers should take the SPF recommendation to reject SPF FAIL seriously where possible. Accepting SPF FAIL results as potential junk can be more dangerous than simply rejecting FAILed mails. While senders with an SPF FAIL can be expected to know what it means, the same is obviously not the case for a receiver arranging his forwarding in a way that cannot work with SPF.

[edit] Checkpoints

Checking SPF behind the "border" MTA (MX) is not impossible; the relevant info is usually noted in a Received timestamp line added by one of the MXs of the receiver. But at this time it is too late to reject SPF FAIL; the checking entity can essentially only delete FAILing mail.

Experts should be able to get this right, but it is no "plug and play" situation; therefore the SPF specification recommends to check SPF only at the "border" (MX) in the SMTP session, not later. Later SPF checks can also have unexpected results if the publishers of sender policies do not plan modifications of their policy carefully with regard to DNS cache expiration.

[edit] DoS attack

An Internet draft[2] discussed concerns related to the scale of an SPF answer leading to network exploits as a means to corrupt the DNS. This issue is also covered in the security considerations of the SPF RFC. The SPF project did a detailed analysis [3] of this draft and claimed that SPF does not pose any unique threat of DNS DoS.

Reference: http://en.wikipedia.org/wiki/Sender_Policy_Framework