.TH SPF 8
.SH NAME
spf \- evaluate Sender Policy Framework records
.SH SYNOPSIS
.B upas/spf
[
.B -demprv
]
[
.B -n
.I netroot
] [
.B -t
text
]
.I domain
[
.I ip
.I from
.I hello
]
.SH DESCRIPTION
.I Spf
parses Sender Policy Framework (SPF) records for
.I domain
and validates them against any additional arguments.
If there are no
additional arguments, the internal representation of the SPF records
is printed.
Typically,
.I spf
is invoked by
.IR smtpd (8)
through the
.B /mail/lib/validatesender
script.
There are four possible results of an
.I spf
invocation:
success, no match, no record found and timeout.
Unsuccessful results
are indicated by exit codes beginning with
.BR fail ,
.BR none ,
and
.BR deferred ,
respectively.
.PP
The policy implemented is that
negatively-biased results are the equivalent
of a negative match.
Thus
.B ~all
is treated the same as
.BR -all .
The
.B -e
option makes this policy even more draconian, escalating neutral results
to failure.
This is useful for sites like
.B gmail.com
which enumerate all allowed hosts but end with an inclusive
neutral result.
This option is not recomended as a default for all sites.
.PP
Options are:
.TF netroot
.TP
.B -d
print DNS queries as performed
.TP
.B -e
escalate; treat
.B ?all
as
.BR -all .
The result
.B ~all
is always treated the same as
.BR -all .
.TP
.B -m
ignore macros
.TP
.BI -n " netroot"
use the IP stack rooted at
.BI netroot .
.TP
.B -p
print the internal representation of the SPF records.
This is the default if only one argument is given.
.TP
.B -r
trace
.B include
and
.B redirect
elements.
.TP
.B -v
print records resulting in positive
or negative match or bias.
.SH "SEE ALSO"
.IR ndb (8),
.IR smtp (8)
.br
.PD 0
.TF /lib/rfc/rfc4408
.TP
.B /lib/rfc/rfc4408
Sender Policy Framework
.TP
.B /lib/rfc/rfc4406
SenderID
.SH SOURCE
.B /sys/src/cmd/upas/spf
.SH BUGS
.L exp
records are ignored.
.PP
Improperly-placed
.B redirect
queries are not evaluated last.
.PP
.I Spf
uses higher DNS query limits than allowed by the RFC,
as the authors of the RFC use SPF records that require
twice the allowed number of queries.
|