SPF record.
SPF record is a textual information about real senders for a given domain. MTA receiving the message is able to determine the authenticity of the sender's source.
Sample SPF record is:
@ IN SPF "v=spf1 a mx ip4:1.2.3.4 ip4:4.3.2.96/30 ip6:2001:aaaa:b:abcd::/64 a:nazwa-fqdn-ip.tld -all"
Sample SPF rules for MTA Exim.
First check SPF in Exim:
server#exim -bV
Support for: crypteq IPv6 Perl OpenSSL move_frozen_messages Content_Scanning DKIM DNSSEC Event OCSP PIPE_CONNECT PRDR SPF DMARC TCP_Fast_Open Experimental_SRS
acl_check_recipient:
warn set acl_m_slow = 0
warn set acl_m_spfw =
deny
!authenticated = *
condition = ${if !eq{$acl_m_spfw}{1}}
spf = fail
message = SPF: $sender_host_address is not allowed to send mail from $sender_address_domain: $spf_smtp_comment
logwrite = SPF: $sender_host_address is not allowed to send mail from $sender_address_domain: $spf_smtp_comment
deny
!authenticated = *
condition = ${if !eq{$acl_m_spfw}{1}}
spf = permerror
message = SPF: $sender_host_address is not allowed to send mail from $sender_address_domain: $spf_smtp_comment
logwrite = SPF: DENY, $sender_host_address is not allowed to send mail from $sender_address_domain: $spf_smtp_comment
set acl_m_slow = 1
deny
!authenticated = *
condition = ${if !eq{$acl_m_spfw}{1}}
spf = none
!verify = sender/callout=30s,random,postmaster
message = SPF: Sender not have SPF record and SPF info does\n \
not grant $sender_host_address explicit\n \
authority to send mail from $sender_address_domain.
logwrite = SPF: DENY, We check sender and we block messages from $sender_address_domain because sender test is invalid: $spf_smtp_comment
set acl_m_slow = 1
defer
!authenticated = *
condition = ${if !eq{$acl_m_spfw}{1}}
spf = softfail : neutral
message = SPF: We greylist messages from $sender_address_domain\nbecause the domain's reputation is questionable:\n$spf_smtp_comment
logwrite = SPF: DEFER, We greylist messages from $sender_address_domain because the domain's reputation is questionable: $spf_smtp_comment
set acl_m_slow = 1
defer
!authenticated = *
condition = ${if !eq{$acl_m_spfw}{1}}
spf = temperror
message = SPF: $sender_host_address currently is not allowed to send mail from $sender_address_domain: $spf_smtp_comment
logwrite = SPF: DEFER, $sender_host_address currently is not allowed to send mail from $sender_address_domain: $spf_smtp_comment
set acl_m_slow = 1
warn
!authenticated = *
spf = pass
add_header = X-SPF: Result=$spf_result , comment=$spf_header_comment
logwrite = SPF: INFO, Result=$spf_result, comment=$spf_header_comment, sender=$sender_address_domain: $spf_smtp_comment
set acl_m_slow = 0
warn
!authenticated = *
spf = none
message = SPF: $sender_address_domain\nreputation is questionable:\n$spf_smtp_comment.\n
logwrite = SPF: Result=$spf_result, comment=$spf_header_comment, sender=$sender_address_domain: $spf_smtp_comment
add_header = X-SPF: INFO, Result=$spf_result , comment=$spf_header_comment
set acl_m_slow = 2
warn
!authenticated = *
condition = ${if match {${lookup dnsdb{txt=$sender_address_domain}{$value} } }{\\+all} }
add_header = X-SPF-WARN-ALL: $sender_address_domain allows +all in SPF policy
logwrite = SPF: WARN, $sender_address_domain allows +all in SPF policy
set acl_m_slow = 2
warn
condition = ${if eq{$acl_m_slow}{1}}
condition = ${if !eq{acl_m_spfw}{1}}
delay = 10s
warn
condition = ${if eq{$acl_m_slow}{2}}
condition = ${if !eq{acl_m_spfw}{1}}
delay = 60s
To fully check the sender, apply the simultaneous SPF, DKIM and DMARC policies.