SPF with SpamAssassin

I’ve been using SpamAssassin for years, it’s a fantastic open source anti-spam tool and plugs easily into *nix operating system mail transport agents such as Sendmail and Postfix.

To stop sender address forgery, where spammers email using my domain to email either myself, or others entities, I configured SPF records for my domain some time ago. The SPF records tell other mail servers which systems are really mine, vs which ones are frauds trying to send spam pretending to be me.

SpamAssassin has a plugin that makes use of these SPF records to score incoming mail – by having strict SPF records for my domain and turning on SpamAssassin’s validation, it ensures that any spam I receive pretending to be from my domain will be blocked, as well as anyone trying to spam under the name of other domains with SPF enabled will also be blocked.

Using SpamAssassin’s scoring offers some protection against false positives – if an organisation missconfigures their mail server so that their SPF record fails, but all the other details in the email are OK, the email may still be delivered, if the content looks like ham, comes from a properly configured server, etc, even if the SPF is incorrect – generally a couple different checks need to fail in order for emails to be blacklisted.

To turn this on, you just need to ensure your SpamAssassin configuration is set to load the SPF plugin:

loadplugin Mail::SpamAssassin::Plugin::SPF

You *also* need the Perl modules Mail::SPF or Mail::SPF::Query installed – without these, SpamAssassin will silently avoid doing SPF validations and you’ll be left wondering why you’re still getting silly spam.

On CentOS/RHEL, these Perl modules are available in EPEL and you can install both with:

yum install perl-Mail-SPF perl-Mail-SPF-Query

To check if SPF validation is taking place, check the mailserver logs or the X-Spam-Status email header for SPF_PASS (or maybe SPF_FAIL!), this proves the module is loaded and running correctly.

X-Spam-Status: No, score=-1.9 required=3.5 tests=AWL,BAYES_00,SPF_PASS,
 T_RP_MATCHES_RCVD autolearn=ham version=3.3.1

Finally sit back and enjoy the quieter, spam-free(ish) inbox :-)

4 thoughts on “SPF with SpamAssassin

  1. Michael Lorant

    Easier to verify what plugins are working by using he following command:

    spamassassin -D –lint

    Reply
    1. Jethro Carr Post author

      Thanks Mike – this is a pretty handy command to mention. Sadly there is one catch – it doesn’t pickup the missing Perl SPF modules :-(

      Reply
  2. Olav Langeland

    Check for failed spamassassin modules:
    spamassassin -D –lint 2>&1 | grep -i failed

    Reply
  3. Jan Ingvoldstad

    From SPF.pm in Spamassassin:

    “=item do_not_use_mail_spf (0|1) (default: 0)

    By default the plugin will try to use the Mail::SPF module for SPF checks if
    it can be loaded. If Mail::SPF cannot be used the plugin will fall back to
    using the legacy Mail::SPF::Query module if it can be loaded.”

    So, no, you don’t need Mail::SPF::Query.

    It’s possible that this was changed in February 2014, which is when this documentation excerpt is from.

    Reply

Leave a Reply