NetSPF is a simple .NET SPF validation utility targeted to .NET Standard 2.0. NetSPF is intended to stand on it's own and can easily be integrated in to a SMTP tool chain, email filtering, or as an ad hoc testing utility. It has minimal dependencies and only requires a working internet connection for DNS queries.
NetSPF is published under the MIT License and is free to use, modify, and distribute.
NetSPF is available for install through NuGet, the .NET package manager.
PM> Install-Package NetSPF
dotnet add package NetSPF
NetSPF provides the static class SpfResolver for access to validation. In keeping
with convention SpfResolver uses the method CheckHost to initiate
validation.
For example:
var ipAddress = IPAddress.Parse("11.22.33.44");
var result = await SpfResolver.CheckHost(ipAddress, "zz.com", "noreply@zz.com", "zz.com", "aa.com");
CheckHost returns a KeyValuePair<SpfResult, string> where string is an
explanation or just the string representation of SpfResult.
| Type | Name | Description |
|---|---|---|
IPAddress |
Address | The IP (v4 or v6) emitting the mail |
String |
Domain | The domain label from MAIL FROM or HELO |
String |
Sender | The full sender from MAIL FROM or HELO, e.g. noreply@domain.com |
String |
HeloDomain | The domain label from HELO or EHLO |
String |
HostDomain | The domain of the host performing the authentication |
[SpfExpression] |
SpfExpressions | (optional) SPF expressions to use if the sending domain doesn't provide SPF expressions in DNS |
| Value | Description |
|---|---|
| None | Either no valid DNS lable was extracted from the SMTP data or no SPF records were retrieved from DNS |
| Neutral | The ADMD explicitly states that it makes no assertion about the authorization status of the identity (IP) |
| Pass | An explicit statement that client is authorized to use the domain in the given identity |
| Fail | An explicit statement that the client is not authorized to use the domain in the given identity |
| SoftFail | A weak assertion that the client is probably not authorized to use the domain in the given identity |
| TempError | A transient error in validation. Usually DNS related |
| PermError | Indicates that the domain's published records cannot be interpreted |
CheckHost can optionally accept an array of custom SPF expressions to evaluate.
For example, if evaluating email sent over an internal network that has no SPF records, custom
SPF expressions can be supplied fo evaluation. The SpfExpression class is
instantiated as SpfExpression(string domain, string spf, bool includeSubDomains).
Keep in mind that the SPF statement in the expression must be syntactically valid.
For example:
var expressions = new SpfExpression[] { new SpfExpression("zz.com", "v=spf1 ip4:10.1.0.0/24 -all", true) };
var ipAddress = IPAddress.Parse("10.1.9.44");
var result = await SpfResolver.CheckHost(ipAddress, "zz.com", "noreply@zz.com", "zz.com", "aa.com", expressions);
Please report any issues in our GitHub repository.
Sender Policy Framework (SPF) is an email authentication mechanism intended to prevent the forging of sender addresses. It provides a way for Administrative Management Domains (ADMDs) to explicity authorize the hosts (IP addresses) allowed to use their domain names. This authorization is published in DNS and a receiving system can use the published record to verify the authorization. SPF has been a proposed standard under RFC 7208 since 2014.
SPF records are a TXT DNS record. Within this record the IPs allowed to send mail from the
domain are specified. Mail receivers will inspect the envelope sender of an email, query the
domain of the sender for the SPF record, and then match the specified IPs to the emitter of
the message to determine the SPF result. Typcially the envelope sender is derived from the
MAIL FROM or HELO/EHLO SMTP commands or from the message's
Return-Path header field.
SPF Record Anatomy
SPF records consist of a version statment (v=) and a collection
of mechanisms and qualifiers.
| Name | Description |
|---|---|
ALL |
Matches always; used for a default result like -all for all IPs not matched by prior mechanisms |
A |
Matches if the domain name has an address record (A or AAAA) that can be resolved to the sender's address |
IP4 |
Matches if the sender is in a given IPv4 address range |
IP6 |
Matches if the sender is in a given IPv6 address range |
MX |
Matches if the domain has a MX record resolving to the sender's address |
PTR |
Matchs is the domain name for the client's address is in the given domain and that domain then resolves to the client's address. Use of this mechanism is discouraged |
EXISTS |
Matches if the domain name resolves to and address |
INCLUDE |
References the policy of another domain. Matches if that domain's policy passes. Processing of other mechanisms will continue of the included domain fails. |
| Name | Description |
|---|---|
+ |
A PASS result. This is optional, i.e. +a is the same as a |
- |
A FAIL result |
? |
A NEUTRAL result interpreted like NONE |
~ |
A SOFTFAIL often used as a debugging aid between neutral and fail |
NetSPF is developed and maintained by Dan Nielsen as an open source project of ReachMail, the easiest way to deliver email.