Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
spfmilter(1)		    General Commands Manual		  spfmilter(1)

       spfmilter - SPF mail filter module

       spfmilter  [--localpolicy|-l  spf-mechanisms]  [--trustedforwarders|-t]
       [--guess|-g spf-mechanisms]  [--fallback|-f  filename]  [--whitelist|-w
       filename]     [--recipientmx|-r]	    [--explanation|-e	  spf-message]
       [--markonly|-m]	[--user|-u  user]  [--pidfile|-p  filename]  [--nodae-
       mon|-X] [--debug|-d] socket

       Sendmail	 includes  a  facility	for  plugging  in custom mail filters,
       called  milters.	  It's	documented  here:
       ter_api/	 Spfmilter  implements	the Sender Policy Framework (SPF) as a
       milter, using either the	libspf or libspf2 libraries.

       All milters take	a standardized socket argument,	 which	specifies  how
       they   communicate  with	 sendmail.   This  will	 look  something  like
       "unix:/var/run/spfmilter.sock"	for   a	  unix-domain	 socket,    or
       "inet:2525@localhost"  for  an internet-domain socket.  The same	string
       gets used in the	INPUT_MAIL_FILTER macro	in

       In addition to the required socket argument,  there  are	 a  number  of

       --localpolicy or	-l
	      Additional  SPF  mechanisms  to apply before a sender site's own

       --trustedforwarders or -t
	      Whether  to  check   This	 is  basically
	      equivalent to "-l".

       --guess or -g
	      SPF  mechanisms  to  use	for any	site which doesn't specify SPF
	      rules of its own.	 Something like	"+a/24 +mx/24 +ptr ~all" might
	      be good.

       --fallback or -f
	      A	 file  of  SPF mechanisms to use for specific sites that don't
	      specify any SPF rules of their own.  The format for each line is
	      a	 shell-style  wildcard pattern (? and *), whitespace, and then
	      the SPF mechanisms to use	on rule-less domains matching the pat-
	      tern.   Hash mark	starts a comment, and blank lines are ignored.
	      The --guess option is equivalent to a --fallback file  entry  of

       --whitelist or -w
	      A	 file  of IP addresses to always accept	mail from.  This could
	      be used to add exceptions	for sites that	forward	 mail  to  you
	      site but don't do	sender-rewriting.  The format for each line is
	      a	single decimal dotted-quad, with an optional /nn network width
	      specifier	appended.  Hash	mark starts a comment, and blank lines
	      are ignored.  Note that this currently only works	for  IPv4  ad-
	      dresses, not for IPv6.

       --recipientmx or	-r
	      Before  doing  the  regular SPF check, this option says to first
	      check if the sending system is an	MX-secondary for  the  recipi-
	      ent.   If	 it is,	then the regular SPF check is not done and the
	      message gets an automatic	"pass".	 If there are multiple recipi-
	      ents,  then  this	 MX check gets done for	each of	them.  The as-
	      sumption here is that your MX-secondaries	are themselves running
	      SPF and have already done	the real check when they initially re-
	      ceived the message.

       --explanation or	-e
	      The explanation message that gets	returned in mail  bounce  mes-
	      sages.   If  a site's SPF	record has an "exp=" declaration, then
	      that gets	used; if the site doesn't specify one, then this  gets
	      used.  And if you	don't specify this option then there's a stan-
	      dard default message.

       --markonly or -m
	      Normally spfmilter rejects mail that fails the SPF test and  ac-
	      cepts  other mail, adding	a Received-SPF header with an explana-
	      tion.  This flag tells spfmilter to also accept mail that	 fails
	      the  test, and add the Received-SPF header to that too.  A later
	      layer of the mail	delivery process, such as procmail,  can  look
	      for this header and handle the mail appropriately.

       --user or -u
	      The  user	 to switch to after starting up	as root.  This is just
	      for convenience, there is	no need	to start the program  as  root
	      and if you want to switch	users external to this program via su,
	      that will	work fine.

       --pidfile or -p
	      Write the	process	i.d. to	the specified file.

       --nodaemon or -X
	      With this	flag, spfmilter	will not fork itself into a background
	      process.	Normally it does fork itself.

       --debug or -d
	      Turns  on	 debugging  messages in	the SPF	library.  You probably
	      want to use --nodaemon with this,	 or  the  messages  might  get

       This  is	 very abbreviated, intended mainly as a	reminder for those who
       have worked with	milters	before.	 If it's your first milter, you	should
       look  on	the web	for more thorough documentation.  Also,	these instruc-
       tions are pretty	specific to FreeBSD, and will have to be  adapted  for
       other OSs.

       1)     Make  sure  your	sendmail  is  compiled with the	MILTER option.
	      (Starting	with version 8.13 this is enabled  by  default.)   You
	      can use this command to check:
		  sendmail -d0.1 -bt < /dev/null | grep	MILTER
	      If  you  don't  see  MILTER in the compilation options, you will
	      have to re-build sendmail.

       2)     Fetch, build, and	install	either libspf (
	      or libspf2 (

       3)     Build  and  install the spfmilter	executable, by doing a './con-
	      figure ; make ; make install'.

       4)     Edit your and	add a mail filter macro, for example:
	      Rebuild and install

       5)     Run spfmilter, with the same socket argument you used  in	 send-
		  # spfmilter unix:/var/run/spfmilter.sock

       6)     Stop and re-start	sendmail.

       7)     Look in /var/log/maillog for messages from spfmilter.

       8)     When  you've  verified  that  it's  working,  add	 lines to your
	      /etc/rc.conf so it starts	up at boot time:

       Copyright (C) 2004 by Jef Poskanzer  <>.   All	rights

				  25 May 2004			  spfmilter(1)


Want to link to this manual page? Use this URL:

home | help