How do I verify an email address is real and in use using the Sender Policy Framework

Question

From what I've been reading the SPF can be used to validate email addresses by sending commands (rather than an actual email) such as HELO. I've managed to pick up a basic grasp of the policy but I can't get my head around how I'd go about solving the following problem:

I've got a number of email addresses attached to contacts in a CRM system and I'd like to find out if the email addresses are valid and still in use.

Currently we're using a REST Web Service (http://emailinspector.co.uk/) which returns "Ok" (if its ok... duh), "Bad" (if its not valid or not in use) or "Unknown". For Unknown, you are also provided some notes on why it came back with that, i.e. you are told if the Mailbox is full or if its a well known DEA.

I'd like to be able to program a script that can replicate this functionality and from what I've worked out it should use the Sender Policy Framework to do this? The problem is I don't know how I'd go about returning such precise information for "Unknown" email addresses.

Ideas and thoughts?

Answer 1

Actually SPF is just a text record, with some "hints" to let you know if an IP address or mail server is "allowed/Authorized" to send email for that domain. It doesn't tell you anything about an individual email address in that domain..

for example

    [doon@qix:~] host -t txt labratsoftware.com
       labratsoftware.com descriptive text "v=spf1 a -all"

The SPF record for one of my domains says that only the a record for the domain is authorized to send email for labratsoftware.com, and that if it doesn't come from that IP then it should be rejected (-all).

So the best you can do with SPF is tell that a received email came from an authorized host, and then use that information to help decide if you want to reject it or not.

The best way To test the validity of an email address you have, is to email it, and see if it bounces. You can use options like VERP (http://en.wikipedia.org/wiki/Variable_envelope_return_path) to automate the bounce handling. You can also try and connect to the MX records listed for the domain and try to deliver a message that way. Some Mail servers support verify (But most admins disable this to prevent information leakage). You can use RCPT TO to see if the server accepts it, but even if it does , you have no way of knowing if it will actually make it to their INBOX. My guess is that is what the API you are currently using is doing. And unknown are just ones that either don't answer, greylist, etc.