Sender Policy Framework (SPF) is an email validation system designed to prevent email spam by detecting email spoofing, a common vulnerability, by verifying sender IP addresses. SPF allows administrators to specify which hosts are allowed to send mail from a given domain by creating a specific SPF record (or TXT record) in the Domain Name System (DNS). Mail exchangers use the DNS to check that mail from a given domain is being sent by a host sanctioned by that domain’s administrators.[1]
Sender Policy Framework is defined in IETF publication RFC 4408.
How exchange server does this :
Domain administrators publish sender policy framework (SPF) records on their DNS servers. SPF records identify authorized outbound e-mail servers. If an SPF record is configured on the sender’s DNS server, the Edge Transport server parses the SPF record and determines whether the IP address from which the message was received is authorized to send e-mail on behalf of the domain that’s specified in the message. For more information about what an SPF record contains and how to create an SPF record, see Sender ID.
Configuring sender ID filtering
http://technet.microsoft.com/en-us/library/dd639388
Sender ID filtering automatically checks the IP address of the sending MTA against the registered Sender of Policy Framework (SPF) records in the Domain Name System (DNS). These records identify authorized outbound e-mail servers that can legitimately send e-mail of behalf of specified domain.
To use Sender ID filtering, you need to enable the feature and then configure the action for the setting.
To enable Sender ID filtering
- In the Forefront Protection 2010 for Exchange Server Administrator Console Policy Management tree view, expand Antispam, then click Configure.
- In the Antispam – Configure pane, in the Sender ID filter section, select the Enable sender ID filtering check box.
After you have enabled Sender ID Filtering, you can configure the action FPE should take when a sender ID record does not contain the sending MTA’s IP address.
You have several options for dealing with messages that fail Sender ID verification:
- Reject message—The message is rejected before being accepted into the Exchange organization.
- Delete message—The message is deleted without issuing a DNR back to the sender.
- Stamp header and continue processing—The message is stamped with the Sender ID header that indicates the status of the message and allowed to be processed further by FPE.
To configure the action for messages that fail Sender ID verification
- In the FPE Administrator Console Policy Management tree view, expand Antispam, and then click Configure.
- In the Sender ID Filtering section, select the action you would like FPE to take when a message fails sender ID verification, and then click Save at the top of the pane to save your setting.