Lately, I got a lot of spam claiming to come from me. I don’t use a spam filter because I think most spam can be stopped by enforcing strict checks on the (incoming) mail servers. I know it’s only a matter of time before the spammers will adapt and be more strict as well, but I’m happy about that because then at least they will confirm to the standards ;)
Anyway, because I was sick of deleting the spam (I rarely got spam until recently), I was looking for a way to stop it without using a spam filter. Then I remembered SPF. I never got around to enabling it, so I did. It turned out a lot simpler than I thought so I’m happy I took the effort to do it. Should’ve done this a long time ago.
Enabling SPF is basically done in two parts: DNS and mail server. The DNS part makes sure that all incoming mail servers (not only yours, but others as well) that support SPF can check if the sender is allowed to send mail in your name (the domain name of the sender, to be precise). How this is done is explained pretty extensively on the Wikipedia article on SPF: http://en.wikipedia.org/wiki/Sender_Policy_Framework#Implementation.
The mail server part basically checks the domain name of the sender, to see if it is setup for SPF. If it is, this info is used to check if the sender IP-address is allowed to send mail with that domain name as sender address. Ubuntu has an excellent page on how to enable this for postfix (the mail server I’m using): https://help.ubuntu.com/community/Postfix/SPF
Let’s see what the spammers will come up next, after they comply to the standards :)
Update: SPF will still pass fake ‘From: firstname.lastname@example.org’ if they supply a “HELO” and/or “MAIL FROM:” with a domain that does not have SPF. Oh well, you can’t have it all!