Net a Few Phishes with SPF for Windows 2003
Implementing SPF, Part 1: Even though Sender ID for E-Mail has run into some problems, SPF can still help shield you from phishing attacks. Here's how to add SPF to your DNS server in Windows Server 2003.
Editor's Note: If you've got Linux servers in your operation, be sure to check back Wednesday when we feature implementation of SPF for Linux and Unix.
For some time now, a number of technologies have been under development for the containment of unsolicited e-mail (spam). Of these, the Sender Policy Framework (SPF) (define) is the technology that has been receiving the most attention, and is now becoming widely implemented by ISPs and companies alike.
Although SPF is seen as a major leap forward in combating spam, it won’t be able to have a large-scale effect until it is adopted en masse. For that reason, you should consider implementing SPF on your network as soon as possible. The good news is that not only does SPF not cost anything to implement, it only takes a couple of minutes to configure. Having said that, you need to be aware of what SPF is, and what implementing it will mean in your war against spam.
Before we get into exactly how you implement SPF, we should just recap very quickly what it is.
SPF in a Nutshell
SPF is an open source approach to combating spam. It does this by verifying that the server identified in the sender details of the e-mail is permitted to send mail on behalf of the sending domain. This prevents one of the most common spamming methods – domain spoofing. Domain spoofing is a popular way of making spam e-mail look like it is from a legitimate sender (one that has a domain name which you are familiar with), when it is not. SPF, through the same mechanism, also serves to prevent an e-mail server being used as a relay. Spammers use mail relays to disguise the identity of the original sending system.
A common misconception about SPF is that it is a product, which it is not. SPF is a technology framework that uses simple DNS (define) record lookups to verify the authenticity of a senders Internet domain. Implementation of SPF on a Microsoft Windows network can be as simple as adding a record to a DNS server. It is this process that we will look at later in this article.
Another common misconception is that SPF will prevent spam from coming into your network. This is untrue. What configuring SPF will do is prevent your domain name from being used in domain spoofed e-mails. It will also provide a means for other people to verify that the e-mail you send from your domain is legitimate.
Only your receiving e-mail system can use SPF to prevent spam by performing lookups for each piece of e-mail it receives. Thus, if your e-mail system does not support SPF lookups for incoming mail, then SPF will not be able to prevent spam e-mail from entering your system. The reason that this is significant in this context is that the most popular e-mail system for Windows networks, Microsoft Exchange, does not currently support SPF lookups for sender verification. There are, however, other applications that can be used to implement SPF lookups for incoming mail on Windows networks.
Creating an SPF Record on Microsoft Windows Server 2003 DNS
![]() |
(Click for a larger image) |
Highlight the folder for the domain, and select Other New Records from the Action menu, as show in Figure 2. You can also access this menu by right-clicking the domain folder.
The resource Record Type dialog box will be displayed. From the Select a Resource Record Type area of the screen, scroll down the list and select Text (TXT) from the list, as shown in Figure 3.
Click Create Record. This will bring up the New Resource Record dialog box to appear. This is where you will need the actual syntax of the SPF record.
The syntax of an SPF record is very simple, as follows:
yourdomain.com. TXT "v=spf1 mx -all"
![]() |
(Click for a larger image) |
In our example, because the name of the domain is hqdom.com, the entry would look like this:
Hqdom.com. TXT "v=spf1 mx -all"
![]() |
(Click for a larger image) |
Once you have entered the information into the record, Click OK, and then click Done on the Resource Record Type dialog box. The newly created SPF record will be listed in the right pane of the DNS management console. Creation of your SPF record is now complete, and SPF lookups can now occur automatically.
If you host domains that do not have e-mail, and you want to ensure that these domains are not used for sending mail, you can also create SPF compliant DNS records that will stop this. The process for creating the record is the same as in the previous example, but the syntax for the record is as follows:
yourdomain.com. TXT "v=spf1 -all"
Notice that the only omission from the text is the naming of an MX record. That is all that makes the difference between a domain that is permitted to send e-mail, and one that is not.
Once you have completed your update of the DNS records, you can test the configuration by using tools provided at http://spf.pobox.com.
And if you are not hosting Mail Servers...
![]() |
(Click for a larger image) |