Sender Policy Framework C implementation
The libspf-alt SPF implementation is a library that allows
email systems such as Exim and MS Exchange to check SPF records and make sure
that the email is authorized by the domain name that it is
coming from. This prevents email forgery, commonly used by
spammers, scammers and email viruses/worms.
Downloads
The complete libspf-alt source code can be downloaded at:
You can also browse the source trees at:
libspf_alt-0.3
libspf_alt-0.4.0
Sketchy install instructions are
included with the tar balls.
Libspf-alt Documentation
The documentation for libspf-alt is still a little
sparse. The library API is documented with both an API overview and in
the spf.h
include file. There is also an example
program that uses libspf-alt.
Why use libspf-alt?
Libspf-alt is a complete, ground-up rewritten "second
generation" implementation. I started my first C
implementation back in December of 2003, but it was ugly
and I didn't get very far. Using what I learned from
writing my first SPF implementation, plus what I learned
by studying the perl and libspf implementations and the
SPF test suite, I
decided to try writing a new one, and it all just kind
of fell in place nicely.
Libspf2 is designed to be secure, correct, portable,
flexible, and fast (in that order). A great deal of
effort has been put into the design and testing of
libspf-alt. It is, to the best of my knowledge, the
most feature complete, bug free and standard compliant
implementation available. Unlike most other developers
of SPF implementations, my extensive work on the SPF test
suite has given me a broad understanding of the state of
art of SPF implementations.
| libspf-alt v0.4 | 09 Apr 2004 | |
Version 0.4 makes a lot of strides toward a stable v1.0 release
The major highlights of this release are:
-
IPv6 bug fixes. I think IPv6 may actually be pretty
functional now. Thanks to David Woodhouse <dwmw2
<at> infradead.org> for the help with this.
-
libspf-alt has now been fairly heavily tested for being
thread-safe. It turns out that it was actually the BIND resolver
library that was the biggest problem. BIND4 is not thread safe, but
libspf-alt now uses the res_ninit() and res_nquery() functions so
that it is thread-safe on BIND8. (I'm pretty sure the BIND9 usage
was always thread-safe.)
Thanks to Emmanuel Dreyfus <manu <at> netbsd.org>
-
Libspf-alt now has a SPF_result_helo() function to explicitly test
the HELO string, even if the MAIL FROM is not <>.
-
Libspf-alt now has a SPF_result_2mx() function to support domains
that have secondary MXes. This is equivalent to the
Mail::SPF::Query result2 functionality.
-
The libspf-alt configure script now has a --bind-with=DIR option to
let people use a different version of the bind than the default
installed with the system. This functionality was added by Emmanuel
Dreyfus <manu <at> netbsd.org>
-
There is now support for sending the error/warning/debug information
to syslong instead of stderr/stdout
-
There is now more documentation on the API.
-
There have been quite a few API changes with this release. I hate
doing this, but I'm trying to get both a clean, stable, and
functional API ready for the v1.0 release. I tried hard to think
ahead when I created the initial API, but hindsight beats foresight
every time.
Fortunately, most of the API changes are things that are either
pretty trival, or are things that are mostly used internally and few
if any applications have taken advantage of them.
-
There are now a couple of simple example programs included with the
distribution that should make it easier to figure out how to use the
libspf-alt API.
-
The code has been cleaned up enough so that it now compiles cleanly
with the gcc options "-W -Wall -Wmissing-prototypes
-Wwrite-strings". On many systems it also compiles cleanly with
-ansi/-std=c89/-std=c99, but there are too many problems with
include file incompatibilities to distribute that way.
These are basically the same flags that BIND9 uses.
-
More DoS checks and limits have been added.
|
|
| libspf-alt v0.3 | 26 Mar 2004 | |
Version 0.3 is mostly a bug-fix release.
The major highlights of this release are:
-
Most of the work was directed toward the new SPF test system and
making libspf-alt pass as many of the tests as practical.
-
Quite a bit of documentation was added to the include files. While
still far from production quality documentation, you should no
longer have to dig through lots of source code in order to figure
out what is going on.
-
IPv6 is not supported, making libspf-alt the first SPF
implementation to do so. Testing, however, has been limited.
-
A new 'zone' DNS layer has been created. This allows you to create
internal 'zone files' that will override or create fallbacks for
other domains that don't currently publish SPF records. Unlike the
perl M:S:Q 1.996 override/fallback options, the libspf-alt 'zone'
DNS layer can also create SPF explanation records or any other DNS
entry that you find useful.
-
The zone DNS layer can also be used for things like marking sections
of the rDNS tree as not resolvable, thus instantly returning the
results, instead of waiting for all those name servers to timeout.
-
The caching DNS layer has been made more useful in several ways.
-
The cache can now support more than 64k entries
-
The cache now has a small reclaim-list to reduce the cost of hash
collisions.
-
You can now set minimum Time To Live (TTL) values
- min_ttl
- The absolute minimum TTL value in all cases.
- err_ttl
- The minimum TTL value to use when there is a DNS error.
- txt_ttl
-
The minimum TTL value to use when a TXT query is done.
In the case of SPF, these are the SPF records and the
explanation records. This TTL value is used even when
no record is found, so domains that haven't set up SPF
records won't be constantly queried.
- rdns_ttl
- The minimum TTL value to use when looking up information
in the reverse DNS tree.
|
|
Old news can be found in the
archive.
|
![[SPF home]](../../images/protectedbyspf_07.png)