Provided by: spfmilter_1.99+0.95-4ubuntu1_i386 bug


       spfmilter - SPF mail filter module


       spfmilter  [--localpolicy|-l  spf-mechanisms]  [--trustedforwarders|-t]
       [--guess|-g spf-mechanisms]  [--fallback|-f  filename]  [--whitelist|-w
       filename]     [--recipientmx|-r]     [--explanation|-e     spf-message]
       [--markonly|-m]    [--user|-u     user]     [--pidfile|-p     filename]
       [--nodaemon|-X] [--debug|-d] socket


       Sendmail  includes  a  facility  for  plugging  in custom mail filters,
       called         milters.          It’s         documented          here:   Spfmilter   implements  the  Sender
       Policy Framework (SPF) as a milter, using either the libspf or  libspf2


       All  milters  take  a standardized socket argument, which specifies how
       they  communicate  with  sendmail.   This  will  look  something   like
       "unix:/var/run/spfmilter.sock"    for    a   unix-domain   socket,   or
       "inet:2525@localhost" for an internet-domain socket.  The  same  string
       gets used in the INPUT_MAIL_FILTER macro in

       In  addition  to  the  required  socket argument, there are a number of

       --localpolicy or -l
              Additional SPF mechanisms to apply before a  sender  site’s  own

       --trustedforwarders or -t
              Whether  to  check   This  is  basically
              equivalent to "-l".

       --guess or -g
              SPF mechanisms to use for any site  which  doesn’t  specify  SPF
              rules of its own.  Something like "+a/24 +mx/24 +ptr ~all" might
              be good.

       --fallback or -f
              A file of SPF mechanisms to use for specific  sites  that  don’t
              specify any SPF rules of their own.  The format for each line is
              a shell-style wildcard pattern (? and *), whitespace,  and  then
              the  SPF  mechanisms  to  use  on rule-less domains matching the
              pattern.  Hash mark  starts  a  comment,  and  blank  lines  are
              ignored.   The --guess option is equivalent to a --fallback file
              entry of "*".

       --whitelist or -w
              A file of IP addresses to always accept mail from.   This  could
              be  used  to  add  exceptions for sites that forward mail to you
              site but don’t do sender-rewriting.  The format for each line is
              a single decimal dotted-quad, with an optional /nn network width
              specifier appended.  Hash mark starts a comment, and blank lines
              are  ignored.   Note  that  this  currently  only works for IPv4
              addresses, not for IPv6.

       --recipientmx or -r
              Before doing the regular SPF check, this option  says  to  first
              check   if  the  sending  system  is  an  MX-secondary  for  the
              recipient.  If it is, then the regular SPF check is not done and
              the  message  gets  an  automatic "pass".  If there are multiple
              recipients, then this MX check gets done for each of them.   The
              assumption  here  is  that  your  MX-secondaries  are themselves
              running SPF and have already  done  the  real  check  when  they
              initially received the message.

       --explanation or -e
              The  explanation  message  that  gets  returned  in  mail bounce
              messages.  If a site’s SPF record  has  an  "exp="  declaration,
              then  that gets used; if the site doesn’t specify one, then this
              gets used.  And if you don’t specify this option then there’s  a
              standard default message.

       --markonly or -m
              Normally  spfmilter  rejects  mail  that  fails the SPF test and
              accepts  other  mail,  adding  a  Received-SPF  header  with  an
              explanation.  This flag tells spfmilter to also accept mail that
              fails the test, and add the Received-SPF header to that too.   A
              later  layer of the mail delivery process, such as procmail, can
              look for this header and handle the mail appropriately.

       --user or -u
              The user to switch to after starting up as root.  This  is  just
              for  convenience,  there is no need to start the program as root
              and if you want to switch users external to this program via su,
              that will work fine.

       --pidfile or -p
              Write the process i.d. to the specified file.

       --nodaemon or -X
              With this flag, spfmilter will not fork itself into a background
              process.  Normally it does fork itself.

       --debug or -d
              Turns on debugging messages in the SPF  library.   You  probably
              want  to  use  --nodaemon  with  this, or the messages might get


       This is very abbreviated, intended mainly as a reminder for  those  who
       have  worked  with milters before.  If it’s your first time, you should
       look  on  the  web  for  more  thorough  documentation.   Also,   these
       instructions  are  pretty  specific  to  FreeBSD,  and  will have to be
       adapted for other OSs.

       1)     Make sure your sendmail is compiled with the MILTER option.  You
              can use this command to check:
                  sendmail -d0.1 -bt < /dev/null | grep MILTER
              If  you  don’t  see  MILTER in the compilation options, you will
              have to re-build sendmail.

       2)     Fetch, build, and install either libspf (
              or libspf2 (

       3)     Build   and   install  the  spfmilter  executable,  by  doing  a
              ’./configure ; make ; make install’.

       4)     Edit your and add a mail filter macro, for example:
                  INPUT_MAIL_FILTER(‘spfmilter’,‘S=unix:/var/run/spfmilter.sock, T=S:4m;R:4m’)
              Rebuild and install

       5)     Run spfmilter,  with  the  same  socket  argument  you  used  in
                  # spfmilter unix:/var/run/spfmilter.sock

       6)     Stop and re-start sendmail.

       7)     Look in /var/log/maillog for messages from spfmilter.

       8)     When  you’ve  verified  that  it’s  working,  add  lines to your
              /etc/rc.conf so it starts up at boot time:


       Copyright © 2004 by Jef Poskanzer <>.  All rights reserved.

                                  25 May 2004                     spfmilter(8)