Aug 082009

Even though spammers may not have thought to do the email forgery yet, I’m publishing SPF txt record in dns.

# dig txt +short
"v=spf1 ip6:2001:470:19:13c::2 -all"

I don’t even know whose gonna validate my spf record anyway 😀 But for the sake of my curiousity, i’m continue developing SPF on my ipv6 postfix smtp. first i need to publish spf txt record    86400   IN      SPF     "v=spf1 ip6:2001:470:19:13c::2 -all"

for the scanner, i’m using postfix-policyd-spf-perl, can be download at The following Perl version and packages are required for running postfix-policyd-spf-perl: Perl 5.6 NetAddr-IP 4 Mail-SPF (not Mail-SPF-Query) perl-Net-DNS >= 0.65 perl-Net-IP >= 1.25 Test the postfix-policyd-spf-perl script, just make sure it works with ipv6 address.

# ./postfix-policyd-spf-perl

action=PREPEND Received-SPF: pass ( 2001:470:19:13c::2 is authorized to use '' in 'mfrom' identity (mechanism 'ip6:2001:470:19:13C::2' matched)) receiver=unknown; identity=mailfrom; envelope-from="";; client-ip="2001:470:19:13c::2"

as we can see, if i sent from my ip/client_address which published in dns, it’ll passed do it again with different ip/client_address

# ./postfix-policyd-spf-perl

action=550 Please see;;ip=2001%3A4860%3Ac004%3A%3A68;r=unknown

rejected!!, 2001:4860:c004::68 is not me.

1. Copy postfix-policyd-spf-perl to /usr/local/bin/policyd-spf-perl
2. Add the following to /etc/postfix/

        policy  unix  -       n       n       -       0       spawn
            user=nobody argv=/usr/local/lib/policyd-spf-perl

3. Configure the Postfix policy service in /etc/postfix/

        smtpd_recipient_restrictions =
            check_policy_service unix:private/policy

NOTES: Specify check_policy_service AFTER reject_unauth_destination or else your system can become an open relay. The user ‘nobody’ is used in this example. This is appropriate if you do not have any other services running as nobody. If you do, create a dedicated user for this service and use it instead.

4. Add “policy_time_limit = 3600” to
5. Restart Postfix. example spf log

Aug  8 15:31:19 fire sqlgrey: perf: spent 0s cleaning: from_awl (0) domain_awl (0) connect (0)
Aug  8 15:31:19 fire sqlgrey: grey: domain awl match: updating 4f8(2001:4f8:3:7:2e0:81ff:fe52:9ab6),
Aug  8 15:31:20 fire postfix/policy-spf[25069]: : SPF none (No applicable sender policy available): Envelope-from:
Aug  8 15:31:20 fire postfix/policy-spf[25069]: handler sender_policy_framework: is decisive.
Aug  8 15:31:20 fire postfix/policy-spf[25069]: : Policy action=PREPEND Received-SPF: none ( No applicable sender policy available) receiver=unknown; identity=mailfrom; envelope-from="";; client-ip="2001:4f8:3:7:2e0:81ff:fe52:9ab6" not publishing spf record.


  5 Responses to “Postfix IPv6 + SPF (sender policy framework)”

Comments (5)
  1. This helped me to accomplish my project with ease 😛

  2. As an alternative, you can link libspf2 to postfix directly:

  3. i’ve visit your blog, seems interesting, not testing it yet though.
    i’l try it when i got spare time.. 🙂

  4. You should be using the DNS SPF RR-type, not a TXT record.

    RFC 4408: The use of TXT was meant as a transitional device until SPF gained its own record type assignment, which happened back in 2006 when the IANA acted on the request. This is 2010: No SPF records should be using TXT RR-types (unless also represented by an SPF RR-type), and even then, the TXT record is deprecated.

  5. thanks for your comment, i guess you’re right about that.

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>