Spfhelo, spfmailfrom, spfnone, spfrcptto Channel Options

From Messaging Server Technical Reference Wiki
Jump to: navigation, search


SPF DNS lookups (spfhelo, spfmailfrom, spfnone, spfrcptto)

New in MS 6.3-0.15. The spfhelo, spfmailfrom, and spfrcptto channel options, when placed on a source TCP/IP channel, cause the MTA to attempt an SPF lookup at the corresponding stage of the SMTP dialogue. spfnone, the default, disables such SPF lookups.

With spfhelo set (so that SPF verification of the claimed EHLO/HELO domain is attempted), possible SMTP error results (rejections) are:


451 4.4.3 Temporary error in SPF verification of HELO domain
500 5.5.2 Permanent error in SPF verification of HELO domain
451 4.4.3 Permanent error in SPF verification of HELO domain
500 5.5.2 Permanent error in SPF verification of HELO domain
451 4.3.0 SPF verification failed
451 4.3.0 SPF verification failed: explanation
550 5.7.1 SPF verification failed
550 5.7.1 SPF verification failed: explanation

The specific cases are as follows. The interpretation of the result of an SPF lookup is controlled by MTA options such as spf_smtp_status_temperror and spf_smtp_status_permerror. While temporary SPF lookup errors are normally configured to be considered as temporary errors and permanent SPF lookup errors are normally configured to be considered as permanent errors, accomplished by setting spf_smtp_status_temperror to 4 and spf_smtp_status_permerror to 5 respectively, each such option can take any of the values 2 (ignore the error condition), 4 (treat it as temporary), or 5 (treat it as permanent). Thus, with a temporary error from the SPF lookup, then the setting of the spf_smtp_status_temperror MTA option to 2, 4, or 5 controls, respectively, whether that SPF lookup problem is considered okay, or results in a temporary error such as (in this example, when spfhelo is set):


451 4.4.3 Temporary error in SPF verification of HELO domain

or a permanent error such as (in this example, when spfhelo is set):


500 5.5.2 Temporary error in SPF verification of HELO domain

Similarly, with a permanent error returned from the SPF lookup, the setting of the spf_smtp_status_permerror MTA option to 2, 4, or 5 controls, respectively, whether the permanent error returned by the SPF lookup is ignored (considered to be an okay condition) or results in a temporary error such as (in this example, when spfhelo is set):


451 4.4.3 Permanent error in SPF verification of HELO domain

or a permanent error such as (in this example, when spfhelo is set):


500 5.5.2 Permanent error in SPF verification of HELO domain

New in 8.0, an SPF HELO/EHLO check failure will result in a "J" record in the MTA message transaction log file, if message transaction logging has been enabled.

New in 8.0, the error text is configurable via various error_text_spf_ehlo_* MTA options. Also, the SMTP error codes and extended codes have been adjusted to accord with draft-ietf-appsawg-email-auth-codes-07.

With spfmailfrom set (so that SPF verification of the claimed MAIL FROM address is attempted), possible SMTP error results (rejections) are, in the case of temporary errors, and depending upon the setting of the spf_smtp_status_temperror MTA option, either:


451 4.4.3 Temporary error in SPF verification of MAIL FROM domain

or


550 5.5.2 Temporary error in SPF verification of MAIL FROM domain

In the case of permanent errors, depending upon the setting of the spf_smtp_status_permerror MTA option, either:


451 4.4.3 Permanent error in SPF verification of MAIL FROM domain

or


550 5.5.2 Permanent error in SPF verification of MAIL FROM domain

In the case of an SPF fail result (the lookup shows that such a MAIL FROM address is not authorized), depending upon the setting of the spf_smtp_status_fail and spf_smtp_status_fail_all MTA options, either


451 4.4.3 SPF verification failed

or


550 5.7.1 SPF verification failed

or when additional explanation is available, either


451 4.4.3 SPF verification failed: explanation

or


550 5.7.1 SPF verification failed: explanation

In the case of an SPF soft failure, depending upon the setting of the spf_smtp_status_softfail and spf_smtp_status_softfail_all MTA options, either:


451 4.4.3 SPF verification failed (soft)

or


550 5.7.1 SPF verification failed (soft)

With spfrcptto set, so that the attempt to perform an SPF verification of the MAIL FROM address is delayed until the RCPT TO stage of processing, possible errors are:


450 4.5.1 temporary error in SPF verification of MAIL FROM domain (domain)
550 5.5.0 temporary error in SPF verification of MAIL FROM domain (domain)
450 4.5.1 permanent error in SPF verification of MAIL FROM domain(domain)
550 5.5.0 permanent error in SPF verification of MAIL FROM domain(domain)
450 4.5.1 SPF verification of MAIL FROM domain (domain) failed
450 4.5.1 SPF verification of MAIL FROM domain (domain) failed: spf-explanation
550 5.5.0 SPF verification of MAIL FROM domain (domain) failed
550 5.5.0 SPF verification of MAIL FROM domain (domain) failed: spf-explanation
450 4.5.1 SPF verification of MAIL FROM domain (domain) failed (soft)
550 5.5.0 SPF verification of MAIL FROM domain (domain) failed (soft)

New in 8.0, the error text used at MAIL FROM stage (spfmailfrom) and RCPT TO stage (spfrcptto) is configurable via various error_text_spf_* MTA options; note that these options had existed since MS 6.3, but were not effective until 8.0. Also new in 8.0, the SMTP error codes and extended codes have been adjusted to accord with draft-ietf-appsawg-email-auth-codes-07.

Note that when SPF lookups are configured and a message is allowed in (due to either passing the SPF lookup check, or due to a configuration that allows in even messages with certain sorts of SPF lookup failures, or failure responses from SPF), then the MTA will add a "Received-SPF:" header line:


Received-SPF: spf-result (spf-explanation)

Note that SPF is prone to causing problems for autoforwarding; (such problems are not with the MTA's implementation, but rather are due to fundamental oversights in the original design of SPF). Use of SRS address encoding is one approach to work around SPF's fundamental difficulties with autoforwarding.


See also: