SPF

check.spf the check module that verifies whether IP address of the client is authorized to send messages for domain in MAIL FROM address.

SPF statuses are mapped to maddy check actions in a way specified by *_action directives. By default, SPF failure results in the message being quarantined and errors (both permanent and temporary) cause message to be rejected. Authentication-Results field is generated irregardless of status.

DMARC override

It is recommended by the DMARC standard to don't fail delivery based solely on SPF policy and always check DMARC policy and take action based on it.

If enforce_early is no, check.spf module will not take any action on SPF policy failure if sender domain does have a DMARC record with 'quarantine' or 'reject' policy. Instead it will rely on DMARC support to take necesary actions using SPF results as an input.

Disabling enforce_early without enabling DMARC support will make SPF policies no-op and is considered insecure.

Configuration directives

check.spf {
    debug no
    enforce_early no
    fail_action quarantine
    softfail_action ignore
    permerr_action reject
    temperr_action reject
}

debug boolean

Default: global directive value

Enable verbose logging for check.spf.

enforce_early boolean

Default: no

Make policy decision on MAIL FROM stage (before the message body is received). This makes it impossible to apply DMARC override (see above).

none_action `reject` | `quarantine` | `ignore`

Default: ignore

Action to take when SPF policy evaluates to a 'none' result.

See https://tools.ietf.org/html/rfc7208#section-2.6 for meaning of SPF results.

neutral_action `reject` | `quarantine` | `ignore`

Default: ignore

Action to take when SPF policy evaluates to a 'neutral' result.

See https://tools.ietf.org/html/rfc7208#section-2.6 for meaning of SPF results.

fail_action `reject` | `quarantine` | `ignore`

Default: quarantine

Action to take when SPF policy evaluates to a 'fail' result.

softfail_action `reject` | `quarantine` | `ignore`

Default: ignore

Action to take when SPF policy evaluates to a 'softfail' result.

permerr_action `reject` | `quarantine` | `ignore`

Default: reject

Action to take when SPF policy evaluates to a 'permerror' result.

temperr_action `reject` | `quarantine` | `ignore`

Default: reject

Action to take when SPF policy evaluates to a 'temperror' result.

Frequently Asked Questions
Tutorials
Release builds
Multiple domains configuration
Upgrading from older maddy versions
Outbound delivery security
Docker
Reference manual
- Modules introduction
- Global configuration directives
- TLS configuration
- Automatic certificate management via ACME
- Endpoints configuration
- IMAP storage
  - IMAP filters
  - SQL-indexed storage
  - Blob storage
    - Filesystem
    - Amazon S3
- SMTP message routing (pipeline)
- SMTP targets
- SMTP checks
- SMTP modifiers
  - DKIM signing
  - Envelope sender / recipient rewriting
- Lookup tables (string translation)
- Authentication providers
- Configuration files syntax
Integration with software
Internals

SPF

DMARC override

Configuration directives

debug boolean

enforce_early boolean

none_action reject | quarantine | ignore

neutral_action reject | quarantine | ignore

fail_action reject | quarantine | ignore

softfail_action reject | quarantine | ignore

permerr_action reject | quarantine | ignore

temperr_action reject | quarantine | ignore

none_action `reject` | `quarantine` | `ignore`

neutral_action `reject` | `quarantine` | `ignore`

fail_action `reject` | `quarantine` | `ignore`

softfail_action `reject` | `quarantine` | `ignore`

permerr_action `reject` | `quarantine` | `ignore`

temperr_action `reject` | `quarantine` | `ignore`