Skip to content

Correctly configuring incoming SPF in Exim on Debian

The Debian documentation is sparse on how to correctly configure incoming SPF checks in the Debian Exim package.

It is sparse in the sense that it tells you what to install (spf-tools-perl) but it is not clear WHERE to put the very important macro. It only says:

This is provided via the macro CHECK_RCPT_SPF, set it to true.

Fine, but where!?

Answer: you should put this macro at the top of your configuration file (/etc/exim4/exim4.conf.template).

At least I did and put it on line 23. After trying out different places.

Next, you run:
update-exim4.conf
/etc/init.d/exim4 restart

And that’s it. I couldn’t find it anywhere so I put it here.

More on SPF

With this setting, Exim will check your incoming mail for valid SPF records. Because the check was not in place on my server it was possible for spammers to say to my mailserver that they were sending mail on behalf of my mailserver!

This is *not* what you want.

SPF best practices

When configuring this I also found I had a couple of mistakes in my SPF records.

server.j11g.com instead of *.j11g.com
  1. I had set a SPF record on a wildcard (*.j11g.com) subdomain. But this does not work properly. Specify the subdomain, and configure the record.
  2. I was missing a MX record for the subdomain. Also specifically set this.
  3. There was an IPv6 error in my SPF record. A semicolon (of course). There are lots of sites to test your SPF records. Here is a good one and another. They will point out errors.
  4. I use an include in my SPF record. I am still not sure where to put it, but it looks like the best practice is to put it before the IP addresses. Like so:

    v=spf1 mx include:spf.solcon.nl ip4:157.90.24.20 ip4:212.84.154.148 ip6:2001:9e0:8606:8f00::/56 ip6:2a01:4f8:1c1c:79a1::/56 -all
  5. I switched from ~all to -all. To drop all mail that does comply with the SPF record.

Tests

me@remoteserver:~# telnet server.j11g.com 25
Trying 157.90.24.20...
Connected to server.j11g.com.
Escape character is '^]'.
220 server.j11g.com ESMTP Exim 4.92 Sat, 22 Jul 2023 10:17:30 +0200
ehlo jan.com
250-server.j11g.com Hello remotemachine.test [77.72.*.*]
250-SIZE 52428800
250-8BITMIME
250-PIPELINING
250-CHUNKING
250-STARTTLS
250 HELP
MAIL FROM:info@posthistorie.nl
250 OK
RCPT TO:janvdberg@gmail.com
550 relay not permitted
RCPT TO: jan@server.j11g.com
550-[SPF] 77.72.150.187 is not allowed to send mail from posthistorie.nl. 
550 Please see http://www.openspf.org/Why?scope=mfrom;identity=info@posthistorie.nl;ip=77.72.*.*

The log on the server looks like this:

2023-07-22 10:18:03 H=remoteserver (jan.com) [77.72.*.*] F=<info@posthistorie.nl> rejected RCPT janvdberg@gmail.com: relay not permitted
2023-07-22 10:18:29 H=remoteserver (jan.com) [77.72.*.*] F=<info@posthistorie.nl> rejected RCPT jan@server.j11g.com: SPF check failed.

Related Posts

Tags:

1 thought on “Correctly configuring incoming SPF in Exim on Debian”

  1. Anonymous
    Reply

    I found your article after looking for others with no solution and not knowing why after having enabled options for SPF it hadn’t worked but your solution did the trick. Thanks.

Leave a Reply

Your email address will not be published. Required fields are marked *