A Sendmail patch for suppressing DSN message based on SPF status

Author: WIDE antispam WG
Editor: Akihiro Sagawa
Created: Jun 6, 2006
Updated: Sep 1, 2006


This patch provides the functionality for sendmail to suppress error e-mail messages (Delivery Status Notification (DSN) messages) based on results of Sender Policy Framwork (SPF).


In our environment, we reduced about 13 percents of outgoing error messages using this patch. (The ratio of suppressed error messages to all e-mail error events.)

How to suppress error messages

The original idea of this patch is proposed by Kazu Yamamoto in A Proposal for Deployment of SPF. The essence of the idea (using this patch) don't sent error messages when original mail's sender domain is cannot be verified. For details, please read his proposal.

Implementation overview

When a e-mail message comes from network, this implementation gets an SPF status from Authentication-Results header field. When the status is Fail or SoftFail, it marks the e-mail of which DSN message is not needed. Thefore even if the message's delivery status is a failure, a DSN message will not be sent to the original sender of the e-mail message. As a result, the forged sender won't receive bogus error messages. Of course, a DSN message destined to not-forged-sender is delivered as usual (e.g. when sender domain doesn't have SPF record or an SPF result is Pass).

As the implementation marks the results as e-mail headers, you can deploy this implementation in conjunction with other MX servers. Of course, you can run both sid-milter and this implementation in the same host.


The same as Sendmail


For sendmail 8.13.8
sm-dsn-supr-0.1.0-8.13.8.patch (Sep 1, 2006)

How to use

1. Apply a patch

Apply this implementation's patch to sendmail source code.

$ cd /tmp
$ tar -xzf sendmail.8.13.8.tar.gz
$ cd sendmail-8.13.8
$ patch -p1 < sm-dsn-supr-0.1.0-8.13.8.patch

2. Add build directive

Make devtools/Site/site.config.m4, add following build directive.


3. Compile and insatall

Compile source files using Build command.

$ ./Build

If you have no trouble with compiling, then install as root user.

$ su
# ./Build install

4. Enable this future and specify host name's used in Authentication-Results header

You must specify the host name of the host which runs sid-milter. So please add following settings to sendmail.cf. And then include the host name in the file "/etc/mail/spf_recv_hosts

O SPFRecieverHostMap=spf_recv_hosts_map
Kspf_recv_hosts_map hash -T<TMPF> /etc/mail/spf_recv_hosts

/etc/mail/spf_recv_hosts file has two columns. The left is the host name which will appear in Authentication-Results header, and you can specify anything in the other column.

mxhost.example.com         enabled

After making /etc/mail/spf_recv_hosts file, you must convert to db file using makemap command.

$ makemap hash /etc/mail/spf_recv_hosts < /etc/mail/spf_recv_hosts

5. Checking of operations

After restarting sendmail, check the status by sending an e-mail to the host, from a host which SPF checks will fail.

If the checking works properly, the following message should appear in syslog. (This outputs either the message deliverly is success, or not.)

Jun  1 14:37:30 mxhost sendmail[14747]: k4V5aZwf014744: clear DSN flags for suppressing (spf=softfail)

If the implementation cannot locate host name in database map, then it outputs the following message.

Jun 1 15:49:36 ripple sendmail[17197]: k4V6nSYK017194: SPF receiver host is not found (maybe map is not defined), ignore this header

OK, installation finished!


You can tabulate error messages using contrib/est_dsn.pl.

$ ./est_dsn.pl /var/log/maillog
Total incoming messages: 5307
Total delivered messages: 4901
Estimated DSN messages: 3418
Actual DSN messages: 2906
Suppressed DSN messages: 512
Total incoming messages
All incoming messages (exclude error messages)
Total delivered messages
Total messages which sendmail attempt to delivery
Estimated DSN messages
Delivery failure messages (DSN are sent in this situation)
Actual DSN messages
Sent DNS messages actully
Suppressed DSN messages
Suppressed DSN messages by this implementation

Generally "Estimated DSN messages" is "Actual DSN messages" plus "Suppressed DSN messages". But using DSN feature (NOTIFY parameter with NEVER directive) in an SMTP Session causes suppression of DSN message, sometimes the total is not same. (Using Sendmail >=8.13.7 with disabling DSN in access_db, you can completely disable DSN feature in SMTP session, so this case don't bother you.)

Request for comments!

I want your configuration example, comments and suggession. Please mail to sagawa+dsn_patch@sfc.wide.
(To avoid spam messages, parts of the addresses are omitted. Please append ad.jp to get the right addresses.)


Sep 1, 2006
Update a patch for Sendmail 8.13.8
Publish English version of this page.
Jul 13, 2006
Add note about using NOTIFY=NEVER in SMTP session.
Jun 16, 2006
Update a patch for Sendmail 8.13.7
Jun 6, 2006
Initial version for Sendmail 8.13.6.
Publish Japanese version of this page.

Copyright © 2006 WIDE Project. All rights reserved.