Man Linux: Main Page and Category List


       spfmilter - SPF mail filter module


       spfmilter  [--localpolicy|-l  spf-mechanisms]  [--trustedforwarders|-t]
       [--guess|-g spf-mechanisms]  [--fallback|-f  filename]  [--whitelist|-w
       filename]     [--recipientmx|-r]     [--explanation|-e     spf-message]
       [--markonly|-m]    [--user|-u     user]     [--pidfile|-p     filename]
       [--nodaemon|-X] [--debug|-d] socket


       Sendmail  includes  a  facility  for  plugging  in custom mail filters,
       called         milters.          It’s         documented          here:   Spfmilter   implements  the  Sender
       Policy Framework (SPF) as a milter, using either the libspf or  libspf2


       All  milters  take  a standardized socket argument, which specifies how
       they  communicate  with  sendmail.   This  will  look  something   like
       "unix:/var/run/spfmilter.sock"    for    a   unix-domain   socket,   or
       "inet:2525@localhost" for an internet-domain socket.  The  same  string
       gets used in the INPUT_MAIL_FILTER macro in

       In  addition  to  the  required  socket argument, there are a number of

       --localpolicy or -l
              Additional SPF mechanisms to apply before a  sender  site’s  own

       --trustedforwarders or -t
              Whether  to  check   This  is  basically
              equivalent to "-l".

       --guess or -g
              SPF mechanisms to use for any site  which  doesn’t  specify  SPF
              rules of its own.  Something like "+a/24 +mx/24 +ptr ~all" might
              be good.

       --fallback or -f
              A file of SPF mechanisms to use for specific  sites  that  don’t
              specify any SPF rules of their own.  The format for each line is
              a shell-style wildcard pattern (? and *), whitespace,  and  then
              the  SPF  mechanisms  to  use  on rule-less domains matching the
              pattern.  Hash mark  starts  a  comment,  and  blank  lines  are
              ignored.   The --guess option is equivalent to a --fallback file
              entry of "*".

       --whitelist or -w
              A file of IP addresses to always accept mail from.   This  could
              be  used  to  add  exceptions for sites that forward mail to you
              site but don’t do sender-rewriting.  The format for each line is
              a single decimal dotted-quad, with an optional /nn network width
              specifier appended.  Hash mark starts a comment, and blank lines
              are  ignored.   Note  that  this  currently  only works for IPv4
              addresses, not for IPv6.

       --recipientmx or -r
              Before doing the regular SPF check, this option  says  to  first
              check   if  the  sending  system  is  an  MX-secondary  for  the
              recipient.  If it is, then the regular SPF check is not done and
              the  message  gets  an  automatic "pass".  If there are multiple
              recipients, then this MX check gets done for each of them.   The
              assumption  here  is  that  your  MX-secondaries  are themselves
              running SPF and have already  done  the  real  check  when  they
              initially  received  the message.  Note: This build of spfmilter
              does not support this option because library limitations.

       --explanation or -e
              The explanation  message  that  gets  returned  in  mail  bounce
              messages.   If  a  site’s  SPF record has an "exp=" declaration,
              then that gets used; if the site doesn’t specify one, then  this
              gets  used.  And if you don’t specify this option then there’s a
              standard default message.

       --markonly or -m
              Normally spfmilter rejects mail that  fails  the  SPF  test  and
              accepts  other  mail,  adding  a  Received-SPF  header  with  an
              explanation.  This flag tells spfmilter to also accept mail that
              fails  the test, and add the Received-SPF header to that too.  A
              later layer of the mail delivery process, such as procmail,  can
              look for this header and handle the mail appropriately.

       --user or -u
              The  user  to switch to after starting up as root.  This is just
              for convenience, there is no need to start the program  as  root
              and if you want to switch users external to this program via su,
              that will work fine.

       --pidfile or -p
              Write the process i.d. to the specified file.

       --nodaemon or -X
              With this flag, spfmilter will not fork itself into a background
              process.  Normally it does fork itself.

       --debug or -d
              Turns  on  debugging  messages in the SPF library.  You probably
              want to use --nodaemon with this,  or  the  messages  might  get


       This  is  very abbreviated, intended mainly as a reminder for those who
       have worked with milters before.  If it’s your first milter, you should
       look   on  the  web  for  more  thorough  documentation.   Also,  these
       instructions are pretty specific  to  FreeBSD,  and  will  have  to  be
       adapted for other OSs.

       1)     Make  sure  your  sendmail  is  compiled with the MILTER option.
              (Starting with version 8.13 this is enabled  by  default.)   You
              can use this command to check:
                  sendmail -d0.1 -bt < /dev/null | grep MILTER
              If  you  don’t  see  MILTER in the compilation options, you will
              have to re-build sendmail.

       2)     Fetch, build, and install either libspf (
              or libspf2 (

       3)     Build   and   install  the  spfmilter  executable,  by  doing  a
              ’./configure ; make ; make install’.

       4)     Edit your and add a mail filter macro, for example:
                  INPUT_MAIL_FILTER(‘spfmilter’,‘S=unix:/var/run/spfmilter.sock, T=S:8m;R:8m’)
              Rebuild and install

       5)     Run spfmilter,  with  the  same  socket  argument  you  used  in
                  # spfmilter unix:/var/run/spfmilter.sock

       6)     Stop and re-start sendmail.

       7)     Look in /var/log/maillog for messages from spfmilter.

       8)     When  you’ve  verified  that  it’s  working,  add  lines to your
              /etc/rc.conf so it starts up at boot time:


       Copyright (c)2004 by Jef  Poskanzer  <>.   All  rights

                                  25 May 2004                     spfmilter(8)