Angus Fox
Level 1 (112 points)
Servers Enterprise

Q: Anyone implemented SPF on OS X Server?

I have a nice SPF record in my top level domain DNS now, and I can see that GMAIL checks it, and it seems to work.

 

Received-SPF: pass (google.com: domain of me@mydomainname.co.uk designates x.x.x.x as permitted sender) client-ip=x.x.x.x;

Authentication-Results: mx.google.com;

       spf=pass (google.com: domain of me@mydomainname.co.uk designates x.x.x.x as permitted sender) smtp.mailfrom=me@mydomainname.co.uk

 

But my own OS X Server mail system either does not seem to show these headers or I do not know how to check it.

 

How can I check it / set it up to work.

 

Angus

Mac Pro, Xserve, iPhone, TV, OS X El Capitan (10.11.6), I live in a Banana Republic

Posted on Aug 13, 2016 5:50 AM

Close
Angus Fox

Q: Anyone implemented SPF on OS X Server?

  • All replies
  • Helpful answers

  • by Steven Major,Helpful

    Steven Major Steven Major Aug 14, 2016 1:10 PM in response to Angus Fox
    Level 1 (44 points)
    Aug 14, 2016 1:10 PM in response to Angus Fox

    So, I do not have an exact answer to your question, but it may help.  I've been running ASSP as a front end proxy to my OS X mail server for going on 10 years now.  It does do SPF and a lot of others things too.

  • by Angus Fox,

    Angus Fox Angus Fox Aug 14, 2016 1:12 PM in response to Steven Major
    Level 1 (112 points)
    Servers Enterprise
    Aug 14, 2016 1:12 PM in response to Steven Major

    Thanks I'll check it out - I'm assuming you mean this http://www.thockar.com/assp-home/

  • by Steven Major,

    Steven Major Steven Major Aug 14, 2016 1:37 PM in response to Angus Fox
    Level 1 (44 points)
    Aug 14, 2016 1:37 PM in response to Angus Fox

    Yes, that's the one!

  • by John Lockwood,Helpful

    John Lockwood John Lockwood Aug 15, 2016 3:17 AM in response to Angus Fox
    Level 6 (9,205 points)
    Servers Enterprise
    Aug 15, 2016 3:17 AM in response to Angus Fox

    There are two aspects potentially.

     

    You need the SPF record added to your DNS server, this DNS server might be an external DNS server but you may also have an internal DNS server as well. (This is called a split-horizon DNS configuration.) If so you need to add the SPF record to both DNS servers.

     

    To add special records like an SPF record the Server.app program is not really up to the job, you therefore need to manually edit the appropriate file in /Library/Server/named/ while your DNS server is temporarily turned off.

     

    The second aspect is your mail server software, Kerio Connect has built-in support for SPF and it is merely a matter of turning this function on, but if your using the Apple mail server which is part of Server.app then you need to enable support in whatever anti-spam system you are using, as per other answers here one option is to do this using ASSP another is to do this using SpamAssassin which is built-in to Server.app although only configurable via the command line.

  • by Angus Fox,

    Angus Fox Angus Fox Aug 15, 2016 3:19 AM in response to John Lockwood
    Level 1 (112 points)
    Servers Enterprise
    Aug 15, 2016 3:19 AM in response to John Lockwood

    Thanks John (I remember you from a LONG time ago), yes i am running split-horizon DNS.

     

    Will post here when I figure it out on my test server.

  • by Angus Fox,

    Angus Fox Angus Fox Aug 15, 2016 9:30 AM in response to Angus Fox
    Level 1 (112 points)
    Servers Enterprise
    Aug 15, 2016 9:30 AM in response to Angus Fox

    I have discovered that SpamAssassin on OS X Server is set up to load the SPF plugin.

    $cat /Applications/Server.app/Contents/ServerRoot/etc/mail/spamassassin/init.pre

# SPF - perform SPF verification.
#
loadplugin Mail::SpamAssassin::Plugin::SPF

    So

    So now to test it. Progress.

  • by John Lockwood,

    John Lockwood John Lockwood Aug 15, 2016 10:24 AM in response to Angus Fox
    Level 6 (9,205 points)
    Servers Enterprise
    Aug 15, 2016 10:24 AM in response to Angus Fox

    Once you have SPF working you can move on to setting up DomainKeys.

    LOL.

  • by Angus Fox,

    Angus Fox Angus Fox Aug 15, 2016 10:39 AM in response to John Lockwood
    Level 1 (112 points)
    Servers Enterprise
    Aug 15, 2016 10:39 AM in response to John Lockwood

    I have regressed to my email tech support career of 25 years ago