- 论坛徽章:
- 7
|
spf是个不错的方案,一般的公共邮件服务器都在自己的域名解析中有 TXT 记录
如 163.com 就是"v=spf1 ip4:220.181.12.0/24 ip4:220.181.13.0/24 ip4:202.108.45.0/24 ip4:202.108.44.0/24 ip4:220.181.9.128/25 ?all" 以上这些地址都是163.com声明的可以以163.com发信的ip地址,由于域名维护权在自己手里,所以其他人无法伪造。
如果MTA安装了spf功能,就可以在收信时自动按照sender的domain查找TXT记录,然后判断sender的IP地址是否在spf字串中。
===================================================
r2007@www r2007 $ dig -t txt 163.com
; <<>> DiG 9.2.2 <<>> -t txt 163.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39627
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;163.com. IN TXT
;; ANSWER SECTION:
163.com. 18000 IN TXT "v=spf1 ip4:220.181.12.0/24 ip4:220.181.13.0/24 ip4:202.108.45.0/24 ip4:202.108.44.0/24 ip4:220.181.9.128/25 ?all"
;; AUTHORITY SECTION:
163.com. 18000 IN NS ns.nease.net.
163.com. 18000 IN NS ns3.nease.net.
;; ADDITIONAL SECTION:
ns.nease.net. 109074 IN A 202.106.185.75
ns3.nease.net. 109076 IN A 220.181.28.3
;; Query time: 14 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Nov 8 11:26:23 2005
;; MSG SIZE rcvd: 226
================================================= |
|