Are You Using SPF Records? 263
gravyface writes "I've been setting up proper Sender Policy Framework records for all my clients for past year or so, hoping to either maintain or improve their 'reputation' in the email universe. However, there's a lot of IT admins I speak with who either haven't heard of SPF records or haven't bothered setting them up. How many of you are using SPF records for your mail domains? Does it help? How many anti-spam vendors out there use SPF records as part of their 'scorecard'?"
No, and I won't (Score:1, Interesting)
SPF is harmful [woodhou.se].
yes (Score:5, Interesting)
it has cut down tremendously on the spam claiming to be from my domains.
any other benefit I am unaware of.
Re:I use them, but mainly for deniability (Score:4, Interesting)
And yet none of these solutions will actually do very much good at all. This was all hashed over several years ago. SPF, DomainKeys and so forth are little more than feel-good half-measures. If the sole reason you're using any of them is so that Google doesn't reject your email, then I think that's pretty much demonstrated the worthlessness of them.
Got it on Google's advice (Score:4, Interesting)
Four years ago, I got hit by a Joe-job, i.e. some spammer used my domain in the 'From' field. I deleted the thousands of resulting messages in the following days and then didn't think about it anymore.
Two years ago, I shut down my mail server and moved it to Google Apps. Basically it involves creating a Google Apps account which tells you to point your domain its MX (mail exchange) records to GMail. The second, optional, step was to add SPF records. I thought about the Joe-job. Since the GMail wizard is good and explains everything, I just executed that step. It's actually really simple.
Anyone else have this experience? I.e. creating SPF records was too easy to just skip it?
Some spam filters score on SPF (Score:3, Interesting)
Some spam filters score on SPF. So not having SPF increases chance of false positives for your legitimate mail when you don't have SPF. And since SPF is free and painless to implement (just few DNS records) I don't see any reason not to use it. Also not like it is something that much significant either.
Re:I use it (Score:3, Interesting)
Where is logic in that?
Two facts:
- you use SPF for own domains
- your shool's Zimbra installation scores mails from your domains as spam
Based on above facts how have you come to conclusion that SPF doesn't work in general? The fact that your school's Zimbra scores your mail as spam is just a single cases and most probably not related to SPF in general.
Have you looked at headers of these message marked as spam? Have you contacted the postmaster?
Nope (Score:5, Interesting)
I don't use them personally and we have very few customers at my current job that will request them.
I used to work for an anti-spam company and the request would come in from time to time to have SPF checking built into our appliances. As developers, we did see the benefit of it. But at the time, there was the SPF vs SenderID vs Domain Keys battle going on. Who would win out?
As it appears years later, no one really did.
The problem with the technology is adoption rates. Unfortunately, many of these technologies are not being adopted by the masses. I'm not saying its hurting you by having these in place, but it also might not be doing as much good as you think that it is.
Re:No, and I won't (Score:4, Interesting)
Actually, DKIM can be used to guarantee a sender. We're using DKIM here with ADSP. That is:
_adsp._domainkey TXT "DKIM=ALL"
tells a receiver that all emails from our domains should be signed. Since the keys themselves are published in our DNS, a machine not under our control should not be able to send an email purporting to be from our domain.
I'm not sure but I would think that mechanism would make SPF irrelavent. Assuming antispam software actually checked the adsp dkim records.
Use SPF. (Score:1, Interesting)
If you aren't using SPF, you aren't doing your job. I've become merciless in my dealings with other sites who don't use SPF, or even worse publish incorrect SPF.
Re:No, and I won't (Score:3, Interesting)
His protest is without teeth. If he really objects to the concept of SPF, then he should publish an SPF record of "?ALL". That way, people will know he's just not being apathetic.
They help, but only slightly! (Score:2, Interesting)
Re:Yes. (Score:4, Interesting)
Re:No, and I won't (Score:4, Interesting)
How would that work with trusted partners who may send mail on your behalf? With SPF I can use an include:xxx to define relationships with other systems. With DKIM it seems I would need the partnered system to stamp the sent mail or relay off of our originating servers for DKIM attribute addition (something that might not always be possible). Is there an elegant workaround?
Comment removed (Score:5, Interesting)
Re:Anti-spam vendor's perspective (Score:3, Interesting)
Doing things like NOT white-listing your own domain work just as well as SPF or DKIM if you implement quarantining. When you put email handling rules into play like Junk or Spam boxes and allow a per user quarantine with personalized Bayesian settings you can really knock the junk down to virtually nothing.
I think the thing here to take into account is that things like DKIM and SPF are not major solutions to spam. They can help reduce a point or two on percentages depending on your overall configuration, but they are nowhere near global solutions within your enterprise.
Yes & Yes (Score:3, Interesting)
Yes, I use SPF to identify the MX's of three domains I own, and Yes I use SPF as one of the things SpamAssassin uses for identifying spam. Granted these domains are tiny in the grand scheme of things (one is for family, one for some shareware I wrote, and one for a non-profit my brother is involved in), but it definitely helps. I wrote a script that sends me monthly stats of spam, and here are the results for the last month:
sa score : 1 messages :299 :194 :235 :299 :477 :597
sa score : 2 messages
sa score : 3 messages
sa score : 4 messages
sa score : 5 messages
sa score : 6 messages
sa score > 10 messages : 31678
highest sa score = 57
total probable spam (sa score of 5 or more) : 32752
total spam blocked outright by sa : 37110
e-mail blocked via SPF : 3007
Unique IP's that passed SPF check : 1389
We only block spam if the SpamAssassin score is above 10, but we tag anything above 5 as spam so the end users can decide what to do with it. As far as SPF goes, in the last month over 3000 bogus e-mails were dropped due to SPF failures, and 1389 other e-mails that were accepted were approved in part because the domains had SPF records that passed the check.
Reduced Backscatter Significantly (Score:1, Interesting)
I didn't used to use SPF records for my domains. I always felt that it was a pretty half-assed way to prevent forged spam from my domain since it required the admins of other mail servers to enable SPF checking in the first place.
Then I started getting a ton of backscatter in my inbox. Just out of the blue, some spammer had decided to start using my domain name for cialis spam and next thing I know, my inbox is flooded with rejected messages bouncing back to me. I set up SPF as kind of a desperation play more than anything else and the backscatter disappeared almost overnight. I'm sure someone out there is still receiving spam which appears to be sent from my domain, but the volume of backscatter I'm getting isn't even a tenth of what it once was. SPF is good for something.
As postmaster for a large public university: (Score:1, Interesting)
...No, we do not use or publish SPF records in any way. Spamassassin assigns a score of zero to the SPF_PASS rule for incoming email.
Every 6-12 months or so, someone asks why. The reasons have not changed in the several years that I've been here:
* For a large, non-centralized research institution like ours, any SPF record we could conceivably come up with would have to be permissive to the point of rendering it useless. We have countless departments, nearly a hundred thousand users, and they all have their clients (both on and off campus) configured about a hundred different ways. Some relay through our servers, some through their ISPs (either by choice or due to a heavy-handed ISP filtering policy that restricts outbound SMTP on TCP/25 and/or TCP/587), some through departmental servers, some through sendmail running on their own workstations (damn you, CS faculty). The work necessary to construct, publish, and maintain an SPF record for our purposes has been deemed not worth the effort.
* SPF has been embraced widely by spammers, perhaps more so than legitimate institutions. This alone keeps us from assigning any stock to SPF records when making delivery decisions on our own incoming mail.
We have yet to encounter any notable issues getting our mail delivered to the "big boys" like Hotmail, Google, Yahoo, etc. based on our lack of SPF kool-aid consumption.
Re:No, and I won't (Score:4, Interesting)
While I can see the reason for your points, I don't agree with the conclusion.
The fact is that implementing SPF comes with a bigger responsibility to account for every machine your email might be sent from. No doubt this can be a big pain and imply compromise.
I have implemented SPF and for me the big downside is that OTHERS don't check it and pay attention to what I've implemented. I still get bounced email which the receiver SHOULD have ignored as forged because it failed SPF checks, but they didn't and bounced it to me anyway.
So my complaint is that being responsible hasn't bought me as much as it should have.
Re:Use DomainKeys.. (Score:3, Interesting)
I'll second that. Y! defers everybody, it's just a fact of life. But I send about 2 million emails a day to the big-5 and don't use DKIM. I hope we don't end up having to, b/c it sounds like a real PITA.
Re:yes (Score:3, Interesting)
> in whether or not a message is spam, then I can guarantee
> you that you're losing mail to false positives.
Yeah, that's not how you're supposed to do it. No SPF record means "I don't know whether this is a valid sender for this domain or not", so you fall back to whatever other method you have for making the determination.
Traditionally, the "other method" generally meant accepting everything and letting the users sort it out in the inbox, but there are other things you can do, such as looking at stuff like whether the EHLO domain matches the sending IP, whether the envelope sender matches either of them, whether the From field matches any of the above, whether any of our users have sent mail to this domain in the last N days, and so on and so forth, each of which criteria can be assigned a weight, which can be used to determine whether to accept the message immediately, graylist it (and for how long), subject it to more rigorous (but computationally intensive) regex-based filtering, check for it on collaboratively-maintained blacklists, etc.
And if the domain *has* SPF records and the sending IP isn't in them, you have your choice of greylisting with a lengthy delay, going straight to teargrube mode, or just sending a 554 response immediately. And you can take note of the IP address for future reference.
> I use greylisting as my chief anti-spam weapon, and it's
> far more reliable and far more effective than SPF.
Greylisting has problems too. Not least, it causes delays, which can run into multiple minutes. (In some situations, even a thirty-second delay will make the natives restless.) Additionally, if too many mail exchangers do greylisting, the spammers will just implement retries (it's not like it's hard; normal mail servers have been doing it forever). All of this doesn't mean greylisting isn't useful, but it's one tool in the toolbox, not the be-all and end-all. There are a lot of things a mail server can do to try to determine whether a message is spam. None of them individually is very reliable, but you don't have to do just one thing.
SPF vs. DKIM/DK (Score:3, Interesting)
I run a server farm somewhere between a /14 and a /17.
All authorized mail servers have SPF records. Ranges that clearly have no legitimate business sending email are clearly identified with XXX-XXX-XXX-XXX.dynamic.TLD and listed with SpamHaus's PBL.
No servers have DKIM/DK. The software to do so is opaque, testing is difficult to impossible, and the benefits over SPF are unclear at best, dubious at worst.
On about 1/3 of the servers, all Yahoo email is blocked out of hand due to the disgust and irritation of the server owner over Yahoo!'s blocking/delaying/spam problems. One server owner told me, "My mail TO them is blocked or delayed. But unless I use DKIM/DK, they won't tell me what the problem *is*. Since my own spam load is roughly 40% FROM yahoo!, screw 'em."
Yahoo!'s insistence on DKIM/DK is highly suspect in the cases, like mine, where a responsive, active abuse desk that will address a spam issue if it's from our clearly identifiable ARIN allocation is available.
For those customers that choose not to accept Yahoo email, we return an error message generally worded like so:
"We're sorry, but due to Yahoo! polices we strongly disagree with, we will not accept your email. Please use another email service that doesn't have it's head up it's ass."
It isn't phrased quite so bluntly, but the flavor is still there.
When I get complaints that Yahoo! won't take a customer's email, I tell them, "Yahoo! is a free service. Their customers are getting all they pay for. I'd like to help you, but frankly, I can't get them on the phone or to give a reasonable response via e-mail. Your best bet is to require a contact method that refuses or bypasses Yahoo!. They aren't in the business of giving their customers reliable email service."
Do I have problems? I'm sure I do. But since Yahoo! won't discuss them without jumping through their useless DKIM/DK hoops, I'll just ignore it and move on.
Re:No, and I won't (Score:3, Interesting)
We do something similar. Bad HELO/EHLO? Disconnected and blackholed for an hour. It then goes against three RBLs, Spamhaus being the most effective. For what we pay, it is by far the best value of the entire system. Anyway, anything matching that is blackholed for an hour. Then we check for spoofed addresses, then SPF records. After that, it's sent on to the anti-spam systems. We figured last that we block about 92% of all attempts to send messages, between dropped connections, rejections, and quarantines.
You ARE asking people to throw away your own email (Score:4, Interesting)
The thing is that due to forwarding and vanity servers, you ARE asking people down the wire (which you can't predict and have NO control over) to throw away mail you sent. When you send to a buddy's vanity domain (that you don't know is a vanity domain) and it forwards your email to their ISP or work account that does check SPF records, your mail gets ditched. And you usually won't get any notice, so your email just disappears.
Using SPF increases the likelihood of your email getting sent into the ether to not return.
The SPF folks themselves acknowledge this as an issue and recommend using SRS to combat it. Of course, since no one uses SRS, it's still an issue.
Re:Use DomainKeys.. (Score:2, Interesting)