Net a Few Phishes with SPF for Windows 2003

Editor's Note: If you've got Linux servers in your operation, be sure to check back Wednesday when we feature implementation of SPF for Linux and Unix.

For some time now, a number of technologies have been under development for the containment of unsolicited e-mail (spam). Of these, the Sender Policy Framework (SPF) (define) is the technology that has been receiving the most attention, and is now becoming widely implemented by ISPs and companies alike.

Although SPF is seen as a major leap forward in combating spam, it won’t be able to have a large-scale effect until it is adopted en masse. For that reason, you should consider implementing SPF on your network as soon as possible. The good news is that not only does SPF not cost anything to implement, it only takes a couple of minutes to configure. Having said that, you need to be aware of what SPF is, and what implementing it will mean in your war against spam.

Before we get into exactly how you implement SPF, we should just recap very quickly what it is.

SPF in a Nutshell

SPF is an open source approach to combating spam. It does this by verifying that the server identified in the sender details of the e-mail is permitted to send mail on behalf of the sending domain. This prevents one of the most common spamming methods – domain spoofing. Domain spoofing is a popular way of making spam e-mail look like it is from a legitimate sender (one that has a domain name which you are familiar with), when it is not. SPF, through the same mechanism, also serves to prevent an e-mail server being used as a relay. Spammers use mail relays to disguise the identity of the original sending system.

A common misconception about SPF is that it is a product, which it is not. SPF is a technology framework that uses simple DNS (define) record lookups to verify the authenticity of a senders Internet domain. Implementation of SPF on a Microsoft Windows network can be as simple as adding a record to a DNS server. It is this process that we will look at later in this article.

Another common misconception is that SPF will prevent spam from coming into your network. This is untrue. What configuring SPF will do is prevent your domain name from being used in domain spoofed e-mails. It will also provide a means for other people to verify that the e-mail you send from your domain is legitimate.

Only your receiving e-mail system can use SPF to prevent spam by performing lookups for each piece of e-mail it receives. Thus, if your e-mail system does not support SPF lookups for incoming mail, then SPF will not be able to prevent spam e-mail from entering your system. The reason that this is significant in this context is that the most popular e-mail system for Windows networks, Microsoft Exchange, does not currently support SPF lookups for sender verification. There are, however, other applications that can be used to implement SPF lookups for incoming mail on Windows networks.

Creating an SPF Record on Microsoft Windows Server 2003 DNS

Figure 1. Selecting a domain to host an SPF DNS lookup record. (Click for a larger image)

To begin, open the DNS MMC from the Administrative Tools menu of your Windows Server 2003 system. Next, find the domain that will host the SPF DNS lookup record. In our example, shown in Figure 1, the domain is hqdom.com.

Highlight the folder for the domain, and select Other New Records from the Action menu, as show in Figure 2. You can also access this menu by right-clicking the domain folder.

The resource Record Type dialog box will be displayed. From the Select a Resource Record Type area of the screen, scroll down the list and select Text (TXT) from the list, as shown in Figure 3.

Click Create Record. This will bring up the New Resource Record dialog box to appear. This is where you will need the actual syntax of the SPF record.

The syntax of an SPF record is very simple, as follows:

yourdomain.com. TXT "v=spf1 mx -all"

Figure 2. Adding a record to your domain's DNS information. (Click for a larger image)

Notice that the domain name includes a trailing period, which is very important. As with any other syntax, you should be very careful when entering the information, as a single character entered incorrectly may render the entry useless. Although the format of the syntax for the command might look a little cryptic, it is relatively straightforward. What it does is act as a pointer to the MX records, which will, assuming everything is configured correctly, provide the information about which e-mail domains are hosted on your network servers. It is this information that is used by SPF for verification.

In our example, because the name of the domain is hqdom.com, the entry would look like this:

Hqdom.com. TXT "v=spf1 mx -all"

Figure 3. Use "TXT" for the record type. (Click for a larger image)

You can see an example of the completed resource record screen in Figure 4.

Once you have entered the information into the record, Click OK, and then click Done on the Resource Record Type dialog box. The newly created SPF record will be listed in the right pane of the DNS management console. Creation of your SPF record is now complete, and SPF lookups can now occur automatically.

If you host domains that do not have e-mail, and you want to ensure that these domains are not used for sending mail, you can also create SPF compliant DNS records that will stop this. The process for creating the record is the same as in the previous example, but the syntax for the record is as follows:

yourdomain.com. TXT "v=spf1 -all"

Notice that the only omission from the text is the naming of an MX record. That is all that makes the difference between a domain that is permitted to send e-mail, and one that is not.

Once you have completed your update of the DNS records, you can test the configuration by using tools provided at http://spf.pobox.com.

And if you are not hosting Mail Servers...

Figure 4. Sample syntax for an SPF record. (Click for a larger image)

Of course, if you are not hosting your e-mail servers, or your DNS servers for that matter, there is little point in you configuring SPF DNS records. What you should be doing is calling your ISP and asking them if they are making use of SPF. Only when the majority of legitimate e-mail users have implemented SPF will it start to become an effective means of reducing spam.