SPF implementation for qmail


This is an SPF implementation for qmail.
SPF is something like a DNS based "reverse MX" system to designate permitted senders for mails depending on the domain name. The goal is to disallow sender address forgery.
The patch is entirely written using the qmail string and DNS functions, and thus completely integrated into qmail without external dependencies.
It can check incoming mails inside the SMTP daemon, add Received-SPF lines and optionally block undesired transfers. The check is performed at the envelope level.


patch against qmail-1.03: qmail-spf-rc5.patch

This patch is stable. It is still a release candidate because the final SPF draft isn't out yet (I consider it final when it gets an official RFC).

For more information about SPF, please see the project web site at
qmail is a small and secure MTA by D. J. Bernstein.

Drop me a note <> when you use it so I can keep track of the various versions/platforms this runs on. Thanks!


I suppose you are already familiar with qmail patching since a naked qmail is pretty useless these days (no authentication, filtering, ...).
Unpack the qmail-1.03.tar.gz archive using something like:  tar xvfz /path/to/qmail-1.03.tar.gz
Change into the directory and apply the patch using:  patch -p1 < /path/to/qmail-spf-<version>.patch
If you already had patches applied there will most likely be rejects, especially in the Makefile. I'm sorry I had to make so many changes. You'll have to apply them rejected changes by hand (or ask me).
After that you can go on with the usual procedure:
Adjust conf-*, make, make test, make setup, whatever you want.
Important: Please make sure that you also apply the qmail-bigdns patch or you will get random lookup failues.

The patch also includes a standalone SPF query tool called spfquery:
spfquery <sender-ip> <sender-helo/ehlo> <envelope-from> [<local rules>] [<guess rules>]

After patching qmail the man pages control.9 and qmail-smtpd.8 will give you a hint on how to configure qmail to use SPF.

You can create four configuration files in your control directory (usually /var/qmail/control):

Use this to turn on SPF checking. The default value is 0 (off).
You can specify a value between 0 and 6:
  • 0: Never do SPF lookups, don't create Received-SPF headers
  • 1: Only create Received-SPF headers, never block
  • 2: Use temporary errors when you have DNS lookup problems
  • 3: Reject mails when SPF resolves to fail (deny)
  • 4: Reject mails when SPF resolves to softfail
  • 5: Reject mails when SPF resolves to neutral
  • 6: Reject mails when SPF does not resolve to pass
Values bigger than 3 are strongly discouraged, you probably want to go with 2 or 3.
Important: This setting can be overridden using the environment variable SPFBEHAVIOR, e.g. from tcpserver rules.
Note: If RELAYCLIENT is set, SPF checks won't run at all.
(This also includes SMTP-AUTH and similar patches)
You can specify a line with local rules.
Local rules means: Rules that are executed before the real SPF rules for a domain would fail (fail, softfail, neutral).
They are also executed for domains that don't publish SPF entries.
I suggest adding
You can also add mechanisms to trust known mail servers like backup MX servers, though I suggest that you should at least also use tcprules (to modify SPFBEHAVIOR).
You can specify a line with guess rules.
Guess rules means: Rules that are used if the domain doesn't publish SPF rules.
The local spfrules are always executed afterwards.
I suggest adding  a/24 mx/24 ptr.
This isn't needed but generally gives good results (for spam filters scoring Received-SPF lines).
You can override the default SPF explanation if you want.
The explanation is the line returned to the SMTP sender when a mail is rejected at the SMTP level. You can use macro expansion.
If a domain specifies its own explanation it is going to be used instead.
The SMTP answer when rejecting mails will look like:
550 the expanded SPF explanation (#5.7.1)
If you want the macro expansion explained look at the SPF draft.

Other Versions

These are the older versions of my patch:


here you can find some other patches people sent me (that combine the patch with other available patches or apply on top of other patches).

Thanks to the PySPF author for the web site template and to Meng for SPF. :)

Valid XHTML 1.0! Valid CSS!