NetSPF

NetSPF is a simple .NET SPF validation utility targeted to .NET Standard 2.0. NetSPF is intended to stand on it's own and can easily be integrated in to a SMTP tool chain, email filtering, or as an ad hoc testing utility. It has minimal dependencies and only requires a working internet connection for DNS queries.

NetSPF is published under the MIT License and is free to use, modify, and distribute.

Installation

NetSPF is available for install through NuGet, the .NET package manager.

Install using the Package Manager:
PM> Install-Package NetSPF
Install using the .NET CLI:
dotnet add package NetSPF

Usage

NetSPF provides the static class SpfResolver for access to validation. In keeping with convention SpfResolver uses the method CheckHost to initiate validation.

For example:

                            var ipAddress = IPAddress.Parse("11.22.33.44");
                            var result = await SpfResolver.CheckHost(ipAddress, "zz.com", "noreply@zz.com", "zz.com", "aa.com");

CheckHost returns a KeyValuePair<SpfResult, string> where string is an explanation or just the string representation of SpfResult.

CheckHost Parameters
Type Name Description
IPAddress Address The IP (v4 or v6) emitting the mail
String Domain The domain label from MAIL FROM or HELO
String Sender The full sender from MAIL FROM or HELO, e.g. noreply@domain.com
String HeloDomain The domain label from HELO or EHLO
String HostDomain The domain of the host performing the authentication
[SpfExpression] SpfExpressions (optional) SPF expressions to use if the sending domain doesn't provide SPF expressions in DNS
Possible Spf Results
Value Description
None Either no valid DNS lable was extracted from the SMTP data or no SPF records were retrieved from DNS
Neutral The ADMD explicitly states that it makes no assertion about the authorization status of the identity (IP)
Pass An explicit statement that client is authorized to use the domain in the given identity
Fail An explicit statement that the client is not authorized to use the domain in the given identity
SoftFail A weak assertion that the client is probably not authorized to use the domain in the given identity
TempError A transient error in validation. Usually DNS related
PermError Indicates that the domain's published records cannot be interpreted

CheckHost can optionally accept an array of custom SPF expressions to evaluate. For example, if evaluating email sent over an internal network that has no SPF records, custom SPF expressions can be supplied fo evaluation. The SpfExpression class is instantiated as SpfExpression(string domain, string spf, bool includeSubDomains). Keep in mind that the SPF statement in the expression must be syntactically valid.

For example:

                            var expressions = new SpfExpression[] { new SpfExpression("zz.com", "v=spf1 ip4:10.1.0.0/24 -all", true) };
                            var ipAddress = IPAddress.Parse("10.1.9.44");
                            var result = await SpfResolver.CheckHost(ipAddress, "zz.com", "noreply@zz.com", "zz.com", "aa.com", expressions);

Reporting Issues

Please report any issues in our GitHub repository.

About SPF

Sender Policy Framework (SPF) is an email authentication mechanism intended to prevent the forging of sender addresses. It provides a way for Administrative Management Domains (ADMDs) to explicity authorize the hosts (IP addresses) allowed to use their domain names. This authorization is published in DNS and a receiving system can use the published record to verify the authorization. SPF has been a proposed standard under RFC 7208 since 2014.

SPF records are a TXT DNS record. Within this record the IPs allowed to send mail from the domain are specified. Mail receivers will inspect the envelope sender of an email, query the domain of the sender for the SPF record, and then match the specified IPs to the emitter of the message to determine the SPF result. Typcially the envelope sender is derived from the MAIL FROM or HELO/EHLO SMTP commands or from the message's Return-Path header field.

SPF Record Anatomy
SPF records consist of a version statment (v=) and a collection of mechanisms and qualifiers.

SPF Mechanisms
Name Description
ALL Matches always; used for a default result like -all for all IPs not matched by prior mechanisms
A Matches if the domain name has an address record (A or AAAA) that can be resolved to the sender's address
IP4 Matches if the sender is in a given IPv4 address range
IP6 Matches if the sender is in a given IPv6 address range
MX Matches if the domain has a MX record resolving to the sender's address
PTR Matchs is the domain name for the client's address is in the given domain and that domain then resolves to the client's address. Use of this mechanism is discouraged
EXISTS Matches if the domain name resolves to and address
INCLUDE References the policy of another domain. Matches if that domain's policy passes. Processing of other mechanisms will continue of the included domain fails.
SPF Qualifiers
Name Description
+ A PASS result. This is optional, i.e. +a is the same as a
- A FAIL result
? A NEUTRAL result interpreted like NONE
~ A SOFTFAIL often used as a debugging aid between neutral and fail

About

NetSPF is developed and maintained by Dan Nielsen as an open source project of ReachMail, the easiest way to deliver email.