1Mail::SpamAssassin::PluUgsienr::CSoPnFt(r3i)buted Perl DMoaciulm:e:nStpaatmiAosnsassin::Plugin::SPF(3)
2
3
4

NAME

6       Mail::SpamAssassin::Plugin::SPF - perform SPF verification tests
7

SYNOPSIS

9         loadplugin     Mail::SpamAssassin::Plugin::SPF
10

DESCRIPTION

12       This plugin checks a message against Sender Policy Framework (SPF)
13       records published by the domain owners in DNS to fight email address
14       forgery and make it easier to identify spams.
15
16       It's recommended to use MTA filter (pypolicyd-spf / spf-engine etc), so
17       this plugin can reuse the Received-SPF and/or Authentication-Results
18       header results as is.  Otherwise throughput could suffer, DNS lookups
19       done by this plugin are not asynchronous.  Those headers will also help
20       when SpamAssassin is not able to correctly detect EnvelopeFrom.
21

USER SETTINGS

23       welcomelist_from_spf user@example.com
24           Previously whitelist_from_spf which will work interchangeably until
25           4.1.
26
27           Works similarly to welcomelist_from, except that in addition to
28           matching a sender address, a check against the domain's SPF record
29           must pass.  The first parameter is an address to welcomelist, and
30           the second is a string to match the relay's rDNS.
31
32           Just like welcomelist_from, multiple addresses per line, separated
33           by spaces, are OK.  Multiple "welcomelist_from_spf" lines are also
34           OK.
35
36           The headers checked for welcomelist_from_spf addresses are the same
37           headers used for SPF checks (Envelope-From, Return-Path,
38           X-Envelope-From, etc).
39
40           Since this welcomelist requires an SPF check to be made, network
41           tests must be enabled. It is also required that your trust path be
42           correctly configured.  See the section on "trusted_networks" for
43           more info on trust paths.
44
45           e.g.
46
47             welcomelist_from_spf joe@example.com fred@example.com
48             welcomelist_from_spf *@example.com
49
50       def_welcomelist_from_spf user@example.com
51           Previously def_whitelist_from_spf which will work interchangeably
52           until 4.1.
53
54           Same as "welcomelist_from_spf", but used for the default
55           welcomelist entries in the SpamAssassin distribution.  The
56           welcomelist score is lower, because these are often targets for
57           spammer spoofing.
58
59       unwelcomelist_from_spf user@example.com
60           Previously unwhitelist_from_spf which will work interchangeably
61           until 4.1.
62
63           Used to remove a "welcomelist_from_spf" or
64           "def_welcomelist_from_spf" entry.  The specified email address has
65           to match exactly the address previously used.
66
67           Useful for removing undesired default entries from a distributed
68           configuration by a local or site-specific configuration or by
69           "user_prefs".
70

ADMINISTRATOR OPTIONS

72       spf_timeout n       (default: 5)
73           How many seconds to wait for an SPF query to complete, before
74           scanning continues without the SPF result. A numeric value is
75           optionally suffixed by a time unit (s, m, h, d, w, indicating
76           seconds (default), minutes, hours, days, weeks).
77
78       ignore_received_spf_header (0|1)   (default: 0)
79           By default, to avoid unnecessary DNS lookups, the plugin will try
80           to use the SPF results found in any "Received-SPF" headers it finds
81           in the message that could only have been added by an internal
82           relay.
83
84           Set this option to 1 to ignore any "Received-SPF" headers present
85           and to have the plugin perform the SPF check itself.
86
87           Note that unless the plugin finds an "identity=helo", or some
88           unsupported identity, it will assume that the result is a mfrom SPF
89           check result.  The only identities supported are "mfrom",
90           "mailfrom" and "helo".
91
92       use_newest_received_spf_header (0|1)    (default: 0)
93           By default, when using "Received-SPF" headers, the plugin will
94           attempt to use the oldest (bottom most) "Received-SPF" headers,
95           that were added by internal relays, that it can parse results from
96           since they are the most likely to be accurate.  This is done so
97           that if you have an incoming mail setup where one of your primary
98           MXes doesn't know about a secondary MX (or your MXes don't know
99           about some sort of forwarding relay that SA considers
100           trusted+internal) but SA is aware of the actual domain boundary
101           (internal_networks setting) SA will use the results that are most
102           accurate.
103
104           Use this option to start with the newest (top most) "Received-SPF"
105           headers, working downwards until results are successfully parsed.
106
107       has_check_for_spf_errors
108           Adds capability check for "if can()" for check_for_spf_permerror,
109           check_for_spf_temperror, check_for_spf_helo_permerror and
110           check_for_spf_helo_permerror
111
112       has_check_spf_skipped_noenvfrom
113           Adds capability check for "if can()" for
114           check_spf_skipped_noenvfrom
115
116           check_spf_skipped_noenvfrom
117               Checks if SPF checks have been skipped because EnvelopeFrom
118               cannot be determined.
119
120
121
122perl v5.36.0                      2023-01-21Mail::SpamAssassin::Plugin::SPF(3)
Impressum