Contents
spfbehavior
Use this to turn on SPF checking. The default value is 0 (off).
You can specify a value between 0 and 6:
0: Never do SPF lookups, don't create Received-SPF headers
1: Only create Received-SPF headers, never block
2: Use temporary errors when you have DNS lookup problems
3: Reject mails when SPF resolves to fail (deny)
4: Reject mails when SPF resolves to softfail
5: Reject mails when SPF resolves to neutral
6: Reject mails when SPF does not resolve to pass
Values bigger than 3 are strongly discouraged, you probably want to go with 2 or 3.
Important: This setting can be overridden using the environment variable SPFBEHAVIOR, e.g. from tcpserver rules.
Note: If RELAYCLIENT is set, SPF checks won't run at all.
(This also includes SMTP-AUTH and similar patches) spfrules
You can specify a line with local rules.
Local rules means: Rules that are executed before the real SPF rules for a domain would fail
(fail, softfail, neutral).
They are also executed for domains that don't publish SPF entries.
I suggest adding include:spf.trusted-forwarder.org.
You can also add mechanisms to trust known mail servers like backup MX servers,
though I suggest that you should at least also use tcprules (to modify SPFBEHAVIOR).
spfguess
You can specify a line with guess rules.
Guess rules means: Rules that are used if the domain doesn't publish SPF rules.
The local spfrules are always executed afterwards.
I suggest adding a/24 mx/24 ptr.
This isn't needed but generally gives good results (for spam filters scoring Received-SPF lines).
spfexp
You can override the default SPF explanation if you want.
The explanation is the line returned to the SMTP sender when a mail is rejected at the SMTP level.
You can use macro expansion.
If a domain specifies its own explanation it is going to be used instead.
The SMTP answer when rejecting mails will look like:
550 the expanded SPF explanation (#5.7.1)
If you want the macro expansion explained look at the SPF draft.