Setting up Sendmail on a dynamic IP, part2: SPF

By Andrew Smith

Even though I had a decent mail server set up and running, other people’s stupid spam filters are starting to cause me headaches, so after looking around for solutions I found two things that may alleviate (and perhaps completely solve) that problem. The first is SPF.

The idea is that the receiving mail server will verify the sending mail server’s IP address to ensure it actually matches the “From:” header, to prevent email address spoofing.

That’s awesome, except that I’m on a dynamic IP and I immediately imagined a time when my IP would be changed while my outbound mail was sitting in someone’s queue. After researching it for a while I decided that’s not a major issue though, since you’re supposed to get a bounce message in case of rejection.

Unfortunately it turned out that my previous spam solution (see part1: ISP’s SMTP) was causing an issue. Since my ISP is sending my email, I can’t get the receiving server to verify it’s coming from my server!

Except that I can. The solution is to use combine the SPF “A” with the “include” mechanism. So my SPF record looks like this:

littlesvr.ca. 600 IN TXT "v=spf1 +a +include:mnsi.net -all"

Which I happily added to my DNS server records. I didn’t need to make any changes to my ddclient configuration since this doesn’t need to be updated with my IP. Neat!

Looks simple, but it took me a while to figure out. You see openspf.org says the forwarding server must itself have an SPF record, which out.mnsi.net doesn’t. But mnsi.net does, and somehow at some point something decided to check the SPF record for mnsi.net even though my messages are going through out.mnsi.net. Don’t know why, but it works.

Of course now anyone sending email via the same ISP as me can still spoof the sender address which annoyed me greatly until I realised that before this setup anyone on the internet could do the same, which reduces the potential spoofers’ pool by 99.somethingridiculous percent.

Now to testing. openspf.org provides a completely useless tester – you can send an email to spf-test@openspf.net and they will send back a bounce message with the results of the SPF check. I sent two emails and didn’t get a bounce back. Got me worried a little and then I realised they are probably sending the bounce to my ISP’s server which doesn’t forward it back to me. Interesting discovery!

Anyway, they also mentioned another service, check-auth@verifier.port25.com which worked beautifully, sent me a reply email with info not only on SPF but also on DomainKeys, DKIM, Sender-ID, and SpamAssasin. DomainKeys and Sender-ID I don’t intend to use, but DKIM is the next part of the series!