Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Communications IT

Are You Using SPF Records? 263

gravyface writes "I've been setting up proper Sender Policy Framework records for all my clients for past year or so, hoping to either maintain or improve their 'reputation' in the email universe. However, there's a lot of IT admins I speak with who either haven't heard of SPF records or haven't bothered setting them up. How many of you are using SPF records for your mail domains? Does it help? How many anti-spam vendors out there use SPF records as part of their 'scorecard'?"
This discussion has been archived. No new comments can be posted.

Are You Using SPF Records?

Comments Filter:
  • by growse ( 928427 )
    Yes, I use an SPF for my domain. No I don't have any idea how effective it is, because my SPF record is used by other people. I haven't had any complaints about people not getting my mails.
    • Re:Yes. (Score:4, Interesting)

      by oatworm ( 969674 ) on Thursday December 17, 2009 @08:51PM (#30481944) Homepage
      Pretty much the same here - SPF records aren't particularly hard to implement, after all. On the receiving side, I just check for SPF failure (i.e. somebody e-mailing from somewhere other than the domain's SPF-registered mail server), and even those just get sent to users' junk mail folders. I'm certainly not bouncing anything because of them. Based on my mail server reports, it looks like the low SPF filtering is catching about 0.5% of the mail volume that flows my direction, which isn't much, but it's 0.5% less than I would be dealing with otherwise and was implemented "for free", so I'm not complaining.
    • I communicate with the homeless by thought projection. I like to let them know that they can come over for steak and beer any time they want. I think these thoughts vigorously every night. I have yet to hear any homeless person tell me they are not receiving my messages.
      • I communicate with the homeless by thought projection.

        Your mother is homeless, you insensitive clod!

  • I use them for all of my domains, but I can't really see that it makes the first bit of difference.
    • by Aladrin ( 926209 )


    • Re:I use them (Score:5, Interesting)

      by digitalchinky ( 650880 ) on Thursday December 17, 2009 @09:19PM (#30482214)

      Not just to add a 'me too' but I recently removed SPF completely - mostly because other people couldn't get their entries correct, or just completely failed to update it when they add in extra servers. Legitimate messages were hitting our spam folders. Since I can't train our fine worker drones to actually look in their spam, I opted just to remove it. With greylisting and spamassassin its removal hasn't made any noticeable difference aside from the false positives now being delivered properly.

  • yes (Score:5, Interesting)

    by zeldor ( 180716 ) on Thursday December 17, 2009 @08:17PM (#30481538)

    it has cut down tremendously on the spam claiming to be from my domains.
    any other benefit I am unaware of.

    • Re: (Score:3, Informative)

      If you're using a lack of SPF records as a determinant in whether or not a message is spam, then I can guarantee you that you're losing mail to false positives. Maybe that isn't a big deal to you, but for the organization I work for, it would be absolutely nuts. The chief reason I have SPF records for my domains is so that the big boys like hotmail.com and GMail don't reject my emails. I use greylisting as my chief anti-spam weapon, and it's far more reliable and far more effective than SPF.

      • Re: (Score:2, Informative)

        by JWSmythe ( 446288 )

        Folks who do a lot of mail find out the hard way that without SPF records, there are plenty of places that bounce them. I've had them on my domains for years.

        For my old network, where we got a huge amount of spam, we used both graylisting and our own custom blacklist. I didn't trust the blacklist providers, so we did rolling blacklists based on the amount of detected spam (with mailscanner and friends), which worked with the firewall. It set it's own firewall rules, so all t

      • by ls671 ( 1122017 ) *

        Agreed with both your post and the GP !

        I publish SPF records for all my domains for which I know *for sure* the IPs from which mail might be sent from and I take care of using the -all qualifier which is FAIL ( NOT SOFTFAIL which uses a tilde ). This is telling other mail servers using SPF to refuse the email when not coming from the published list of IPs.

        I barely take SPF into account to filter incoming email for basically the same reason you have mentioned.

        Oh, I do not use greylisting because having email

      • Re:yes (Score:5, Insightful)

        by Snover ( 469130 ) on Thursday December 17, 2009 @09:24PM (#30482252) Homepage

        Read again.

        Spammers can’t use his domain to forge spam, because SPF-aware mail servers reject it. Hence, he doesn’t have to deal with tons of bounces, spam warnings, virus warnings, etc..

      • by 2Bits ( 167227 )

        The chief reason I have SPF records for my domains is so that the big boys like hotmail.com and GMail don't reject my emails.

        I set up SPF records properly, hoping that mails from our domain are not blocked or bounced. It works a little bit, but my frustration has not reduced that much. Now, I don't care any more, the SPF records are still there, but that's all.

        The big boys are actually quite nice, and they do care about that. I got in touch with their admins, they did a verification (quite fast, I must s

      • Re: (Score:3, Interesting)

        by jonadab ( 583620 )
        > If you're using a lack of SPF records as a determinant
        > in whether or not a message is spam, then I can guarantee
        > you that you're losing mail to false positives.

        Yeah, that's not how you're supposed to do it. No SPF record means "I don't know whether this is a valid sender for this domain or not", so you fall back to whatever other method you have for making the determination.

        Traditionally, the "other method" generally meant accepting everything and letting the users sort it out in the inbox, bu
        • by JayAEU ( 33022 )

          Greylisting has problems too. Not least, it causes delays, which can run into multiple minutes.

          That's why I recommend no-listing. Basically you have the first and last MX record point to nowhere, which gets rid of lots of spammers not doing proper MX traversal and retries. The "real" MX entries are "hidden" in between the no-listing ones, priority-wise.

          For proper mail servers it's no slowdown at all, while spammers get shot down right off the bat.

  • Yes, and it's not very effective in the places that matter. My school has recently transitioned to Zimbra, which has been automatically sending anything from any of my domains into the Spam folder. (I also have DKIM set up, but that didn't help. As far as I know my IP isn't on any blacklists, so it should be getting through fine.... )

    • Re: (Score:3, Interesting)

      by kosmosik ( 654958 )

      Where is logic in that?

      Two facts:
      - you use SPF for own domains
      - your shool's Zimbra installation scores mails from your domains as spam

      Based on above facts how have you come to conclusion that SPF doesn't work in general? The fact that your school's Zimbra scores your mail as spam is just a single cases and most probably not related to SPF in general.

      Have you looked at headers of these message marked as spam? Have you contacted the postmaster?

      • I should have added that this is just my personal experience. I have looked at the headers, but they are gibberish to me that I can't find information on via Google (X-Spam-Track in particular). As far as contacting the postmaster, I received the helpful reply to have all recipients whitelist my domains in their filters.

  • My SPF records have gotten me un-blacklisted a few times, after I've pointed out that those machines in Brazil weren't authorized to send email from my domains. But I think DomainKeys, DKIM, etc. will make eventually make SPF unnecessary.
  • nope... (Score:5, Funny)

    by stokessd ( 89903 ) on Thursday December 17, 2009 @08:23PM (#30481608) Homepage

    It's winter so there isn't much sun or exposed flesh to worry about. My record for SPF is 50 when I'm bicycling in the noonday sun in the summer.


  • Yes (Score:3, Insightful)

    by S-100 ( 1295224 ) on Thursday December 17, 2009 @08:24PM (#30481624)
    Yes, I used SPF records on all the domains that I host that have email accounts. SPF records I believe have cut way down on backscatter. Before SPF, accounts would get dozens to hundreds of bounces when their email address was forged as the reply-to address in spam. Now the backscatter is almost completely gone.

    But I can tell that Hotmail still ignores SPF since almost all the backscatter that still comes through is from Hotmail. They should know better.

    Having valid SPF records also helps outgoing mail get through. I would frequently have to deal with large ISPs that would flag my mail or my domain as a spam source, based on their misinterpretation of forged headers. But since I have SPF records in place, this has not happened. I also check incoming SPF. If the SPF check fails, the mail is dumped. If SPF passes or there's no SPF, it goes through. Works great as one step in spam control.
    • Re: (Score:2, Informative)

      But I can tell that Hotmail still ignores SPF since almost all the backscatter that still comes through is from Hotmail. They should know better.

      I believe you, but really? Hotmail was THE reason I've implemented SPF for a few domains connected to sites that send alert emails to users. Nothing - from email confirmations to status update type stuff - was getting through to Hotmail accounts until I set up SPF. Some kind of Left Hand / Right Hand mess going on over there?

  • SPF has been around for at least a couple of years, but at least one very large hosting provider - hostgator.com - hasn't made it any easier to implement. They still require that you email them and request that they set it up for you.

    http://forums.hostgator.com/custom-mx-and-spf-records-t58820.html [hostgator.com]

  • by Uzik2 ( 679490 )
    and spamhaus put me on the pbl as well. (I don't send spam)
    • Re: (Score:3, Informative)

      Spamhaus didn't put you on the PBL, your ISP did. The PBL is made up of netblocks owned by ISPs who specifically don't want mail coming from those blocks. I use sbl-xbl instead of zen because the PBL has too many "false" positives.
  • by cerberusss ( 660701 ) on Thursday December 17, 2009 @08:28PM (#30481672) Homepage Journal

    Four years ago, I got hit by a Joe-job, i.e. some spammer used my domain in the 'From' field. I deleted the thousands of resulting messages in the following days and then didn't think about it anymore.

    Two years ago, I shut down my mail server and moved it to Google Apps. Basically it involves creating a Google Apps account which tells you to point your domain its MX (mail exchange) records to GMail. The second, optional, step was to add SPF records. I thought about the Joe-job. Since the GMail wizard is good and explains everything, I just executed that step. It's actually really simple.

    Anyone else have this experience? I.e. creating SPF records was too easy to just skip it?

  • by kosmosik ( 654958 ) <kos@kosmosikTEA.net minus caffeine> on Thursday December 17, 2009 @08:28PM (#30481684) Homepage

    Some spam filters score on SPF. So not having SPF increases chance of false positives for your legitimate mail when you don't have SPF. And since SPF is free and painless to implement (just few DNS records) I don't see any reason not to use it. Also not like it is something that much significant either.

    • I'm running SpamAssassin on Debian, pretty much in default settings (just set it up, training on the go). It checks SPF and scores a little for failures, no points for matching SPF or missing SPF.

      That's the few spams that get past greylisting... which in itself blocks about 90% of my spam before it even reaches me.

  • by ndogg ( 158021 ) <[moc.liamg] [ta] [nrohr.eht]> on Thursday December 17, 2009 @08:29PM (#30481692) Homepage Journal

    It's been, umm, a very long time since I've been to confession.

    It's true, I don't use SPF. I've at least got the TXT line in my DNS hosts file.

    But I'm using exim [exim.org], which only has experimental support [exim.org], and I'm too afraid to use something experimental like that.

    What should I do, server?

    • What should I do, server?

      Move to Postfix ;)

      On a completely off-topic, well...topic, I love the "#include" in your sig

  • by gujo-odori ( 473191 ) on Thursday December 17, 2009 @08:29PM (#30481694)

    I work for a major anti-spam vendor.

    Yes, SPF records are part of the mix at many anti-spam vendors.

    However, they aren't part of reputation. Reputation, to describe it simply and without giving away any secrets, is determined by the kind of mail a host or network emits. Whether it has SPF records and/or DKIM-signs its mail does not affect reputation; if you emit junk, your reputation will be junk.

    SPF and (moreso) DKIM have value in assessing whether a given mail is a forgery or not (think phishing and related scams). They are not weighted overly much, since people do foolish things like put their work email address into their webmail account all the time, and it causes FPs, for some value of false positive. That is, it's not an FP per se, but the mail is technically legit, so dropping it on the floor isn't the desired action.

    In short, don't expect having SPF and DKIM to improve your deliverability much, if at all. That's not where the value-add is. The value-add is helping to separate the sheep from the goats among mail that purports to be from your domain. If you want recipients to be able to (theoretically, since most of them don't/won't check) have greater confidence that a mail that claims to have come from your organization really did so, then yes, implement both SPF and DKIM.

    If you're an organization whose customers might be phishing targets, definitely do both. Orgs I've seen targeted for phishing include financial institutions of any size (even a single branch!), various government agencies, educational institutions (not just universities, either), BBB, auto clubs, World of Warcraft accounts, Vonage, Craig's List, all the free webmail providers. If it has a login, and anything a phisher could find to be of value (for practically any value of "value"), there will be phishing attempts.

    If your company is one of those - or even if it's not, really - I recommend both SPF and DKIM.

    • Re: (Score:3, Interesting)

      I agree. The only point at which SPF or DKIM comes into play is the last few percentage points of filtering and even then other measures can suffice. For instance, I use a Barracuda Spam Firewall and out of the box it catches probably 80% with no false positives. Train the Bayesian filter and pick up easily another 10%. For my use, I can do some TLD blocking without worry such as CN, BR, and RU to name a few and I pick up additional percentage points. A few Regex for things like Viagra and Rolex net me
    • by Shimmer ( 3036 )

      "people do foolish things like put their work email address into their webmail account"

      Why do webmail providers allow this? In fact, why would a webmail provider allow you to specify any "From:" address other than the user's actual webmail account?

    • if you emit junk, your reputation will be junk.Yeah, well how do you tell what is junk? I operate a 100% legitimate email list. ALL THE TIME, I get people who click "this is spam" in gmail or hotmail or yahoo. At least 2-5 every email list run. Why? My list isn't spam. It's just that people get tired of the emails, and they would rather not click on "unsubscribe" and instead click on "spam". They volunteered for the emails! And meanwhile yahoo/gmail/hotmail take this as a vote that my email list is

  • by Krondor ( 306666 ) on Thursday December 17, 2009 @08:30PM (#30481698) Homepage

    I use them, and what I've found is that they have a very marginal effect (if any) on spam catch rates on your inbound mail. However, they do have a great side benefit. They significantly reduce backscatter, keep yourself off of blacklists, and provide some control of you, your employer, or your client's identity on the web. SPF records provide a mechanism to limit who can spoof as you (as long as recipient servers adhere to them). If you have a risk to yourself or interested parties that someone might spoof your domain (banks!), then SPF provides a means to insure the chain of custody (to an extent).

    I do think overall SPF has helped to prevent forged domain letters, but those are less and less common (for those that publish spf). The spammers now either rely on forged domains without DKIM or SPF (why not use both!!) or they send from their own controlled botnet domains and publish legit SPF for themselves as well.

  • by bcrowell ( 177657 ) on Thursday December 17, 2009 @08:31PM (#30481724) Homepage

    DKIM (formerly known as Domain Keys) is more sophisticated and worth looking into in addition to SPF. I'm using an implementation called DKIMproxy, which runs as a daemon and is specifically designed to work with postfix. I've been fairly happy with it. What's helpful about it is that if I get mail from someone who implements DKIM, I can be sure that it's really from them, and likewise if I get joe-jobbed, I can convince the recipient that the spam wasn't actually from me. The biggest and best known users of DKIM are gmail and yahoo, but I'm seeing it used elsewhere as well. For example, I recently got spam from lulu.com, and the good news was that it was DKIM-signed, so I could be sure it wasn't a joe job.

    I understand what you mean about establishing a good reputation in terms of the email you send. Actually many of the big email providers have a policy of blacklisting all domains by default these days, and waiting for the domain operators to contact them and ask to be allowed to send mail to them. Both AOL and yahoo seem to do this. With yahoo, you can fill out a form to convince them you're not evil, and if the info on the form satisfies them, they stop blacklisting you. One of their criteria is that they're more likely to approve you if you implement DKIM. If you tell them you're using DKIM, then they won't accept mail from your domain that isn't DKIM-signed; this is to your advantage, because then their users won't be clicking on the spam button on mail that claims to be from you but isn't.

    • With yahoo, you can fill out a form to convince them you're not evil, and if the info on the form satisfies them, they stop blacklisting you.

      Your post advocates a
      technical (*) legislative ( ) market-based ( ) vigilante ( )
      solution... aaah, never mind.

  • Its not helpful in reducing SPAM unless or until every uses it. Why because you can't toss out mail from domains without SPF records you'd loose to much HAM. You can only uses it to detect and reject spoofs from domains with SPF.

    Its not good as an anti spoofing technique in general because there are lots of ways you could make it look like you were sending from the correct host. Possibly in conjunction with DNSSEC (something only being slowly adopted) and some enhancements to BGP you could get there buy

    • Sometimes you want to temporarily run your mail out a different IP or relay from another domain, and if you used SPF and your recipients have the dns record cached you are kinda screwed if you need to do anything in a hurry.

      You solve that issue by running your SPF DNS records with a TTL of about 2 hours (or maybe 4 hours). Even in the freak accident category, I'm hard pressed to come up with a situation where your primary mail server goes up in flames (or the outbound ISP goes up in flames) and you can'
      • "Katrina"

        Remember that huricane? Nocked lots of companies offline for more then 4 hours and people couldn't change an SPF record if they wanted to due to the evacuations. Another was Loma Prieta in 1991 during the World Series Game. San Francisco, CA 6.9 Earthquake with lots of damage. Another was the St. Helens Eruption in Washington. I could go on but I think you've got the message, which is Natural Disasters. These could affect large areas and result in SPF being absolutely useless because people simply

  • by Kevinv ( 21462 )

    I use it on all my domains, and check it on all inbound mail. I especially make sure i define no servers are valid for several domains I have that are web pages only, or use for throwaway e-mail addresses (i receive e-mail at that domain, never send from that domain.)

    I do support a domain hosted on google apps and setting it up for that ends up with a less firm ~all option that allows bogus senders to slip through.

    I can see SPF fails in my logs so it looks like many other domains are using it as well.

  • Nope (Score:5, Interesting)

    by menelaus ( 6949 ) on Thursday December 17, 2009 @08:36PM (#30481784) Homepage

    I don't use them personally and we have very few customers at my current job that will request them.

    I used to work for an anti-spam company and the request would come in from time to time to have SPF checking built into our appliances. As developers, we did see the benefit of it. But at the time, there was the SPF vs SenderID vs Domain Keys battle going on. Who would win out?

    As it appears years later, no one really did.

    The problem with the technology is adoption rates. Unfortunately, many of these technologies are not being adopted by the masses. I'm not saying its hurting you by having these in place, but it also might not be doing as much good as you think that it is.

    • Re: (Score:3, Informative)

      The problem with the technology is adoption rates. Unfortunately, many of these technologies are not being adopted by the masses. I'm not saying its hurting you by having these in place, but it also might not be doing as much good as you think that it is.

      A quick check of mail volume:

      151,000 messages checked in the log files that I looked at
      58,800 (39%) did not have SPF records ('none')

      So 61% of our inbound mail has SPF records that we can test. That is a pretty decent rate of adoption. (Note that
  • I also use SPF records for all my domains, most are simply: "v=spf1 a mx -all". "-all" as in hard fail. I don't know why there is a soft fail "~all" option, if it's not from a known host / IP, it should fail. What's the point in returning an unknown response? Like as if there was no SPF record in the first place? It's amazing how many domains actually use soft fail. Anyone know why? They only help stop backscatter and other IPs from sending emails from @youdomain.com as long as the other mail server does
    • The point of the ~all was so that you could start testing the waters.

      We ran with ~all for a few years, but have recently switched everything over to -all.

      So far, I've seen only 1 or 2 false positives where the SPF check failed - even when sent from our own mail servers. I'm guessing that the destination mail server had DNS troubles when it tested our message.

      We've also started 5xx (rejecting) at SMTP time if the inbound message fails its SPF check. SPF has been around for long enough at this point,
  • In the summer I like to use SPF-15 or higher. In the winter it's pretty cloudy around here, so I don't bother.

  • by bziman ( 223162 ) on Thursday December 17, 2009 @09:10PM (#30482116) Homepage Journal

    SPF is great. It's one of the technical means of making sure that the IP address that is trying to send you a message is authorized to use the sender that it claims to be from. That means you can automatically reject spam that claims to be from any of the big mailers.

    One common problem right now, is misconfigured mail servers. An e-mail admin configures the SPF entry in DNS, and then forgets about it. Then they change their IP address, or they outsource their e-mail to a third party, and suddenly, SPF is saying that all of their legit mail is not legit. The other problem is when a company has (for example) an order fulfillment system that generates its own e-mails, instead of routing them through the proper mail server. If that system isn't identified in the SPF entry, those messages can be rejected.

    Another "problem" is when organizations send messages on behalf of other individuals or organizations (like the legit message that avon.com tried to send me this morning that was being generated by filltek.com, but without the permission of avon.com's SPF entry). I put "problem" in quotes, because really, third party messaging services should not forge the From line of the message.

    On the other hand, it's great, in that it blocks all those stupid e-cards, because they claim to be from your.friend@gmail.com, when really they're being sent by stupid-e-card.com.

    The biggest problem is dealing with "forwarding" services, like your @acm.org e-mail address. On my server, I have to keep a list of domains that "bypass" SPF checks, because any message sent to a forwarded address is going to arrive at your mail server from the forwarded (i.e. mail.acm.org), but it's going to have the header information associated with the original message. OpenSPF.org talks about some ways to deal with this, but I haven't look at it in a while.

    Since SPF is still not universally accepted, it has a "soft fail" option that you can use for testing, until you're sure that it works the way you want it to. It's not the be-all-and-end-all, but it is a useful piece of the puzzle.

  • I have strict "-all" SPF records on all my web sites. But I still get mail bounces from joe-jobs that the recipient host should have rejected during the SMTP session from the spammer.

  • I work for an organisation that has a private email system (private as in hardware, network lines). SPF works fine on that, though is also redundant. However, the network is accessible to other networks (ie the internet, as in, people can send mail to regular mail addresses, and vice versa), and SPF breaks here.

    Due to the jump to the network, the "sender" is always the provider who handles said connectivity, where our area of the private network touches the internet. Thus we've had to completely disable S

  • Yes & Yes (Score:3, Interesting)

    by Iphtashu Fitz ( 263795 ) on Thursday December 17, 2009 @09:33PM (#30482336)

    Yes, I use SPF to identify the MX's of three domains I own, and Yes I use SPF as one of the things SpamAssassin uses for identifying spam. Granted these domains are tiny in the grand scheme of things (one is for family, one for some shareware I wrote, and one for a non-profit my brother is involved in), but it definitely helps. I wrote a script that sends me monthly stats of spam, and here are the results for the last month:

    sa score : 1 messages :299
    sa score : 2 messages :194
    sa score : 3 messages :235
    sa score : 4 messages :299
    sa score : 5 messages :477
    sa score : 6 messages :597
    sa score > 10 messages : 31678
    highest sa score = 57

    total probable spam (sa score of 5 or more) : 32752
    total spam blocked outright by sa : 37110

    e-mail blocked via SPF : 3007
    Unique IP's that passed SPF check : 1389

    We only block spam if the SpamAssassin score is above 10, but we tag anything above 5 as spam so the end users can decide what to do with it. As far as SPF goes, in the last month over 3000 bogus e-mails were dropped due to SPF failures, and 1389 other e-mails that were accepted were approved in part because the domains had SPF records that passed the check.

  • ...in conjunction with my DynDNS vanity domain. When I first set it up, there was a rush of backscatter, then it tapered off and went away, never to return.

    More recently I've started having problems of a different sort. I've been on a certain mailing list for over a year, though not posting very often. Last week I posted to a thread, and got an SPF violation notice from what looks like AOL in Australia, on behalf of someone with 2 apparent domains, neither of which is AOL. The violation notices seem to

  • I set it up and regret it. First, it broke things for one of my correspondents (at least this one — who bothered to tell me about it), who forwards all e-mails to his cell-phone. Because the messages are forwarded by his e-mail provider, but appear as if from me, his cell-phone service rejects them — because his e-mail provider is not listed in my SPF-record. So, he finds my messages in his mailbox, but is not alerted about them (as he is used to) by his phone...

    Then, it turned out, my SPF-rec

  • SPF serves multiple purposes for me.

    Why I add SPF records to our DNS servers:

    First and formost, it tells everyone who my mail senders are and that they should only accept mail from my users from those servers. Thats really all it does, but that results in the following things for me:
    My remote users always configure their outbound mail server as our gateway, rather than their own ISP or something like that, which means that all that mail piping through me means I can do all sorts of sanity checking on the s

  • We both publish and use SPF records. We publish them in an attempt to limit backscatter from joe-jobs, but that's not very successful. Nevertheless, I like the idea of being able to declare which machines are legitimately allowed to send mail for my domain.

    We also use SPF records, but in a careful way. We add lots of points for SPF "fail" results from certain domains like paypal.com, ebay.com, etc. We add a moderate number of points for SPF "fails" from domains not in that list. We subtract points fo

  • I use them for all the domains I manage (maybe about 200+ domains) and forged spam has disappeared since. It doesn't take that much time to set it up, so why not do it?

  • We use Postini, and postini handles the delivery of our mail. We have yet to have any organization block our mail while it is delivered by postini. It seems that most mail admins implicitly trust that postini's servers aren't spewing spam.

    As far as postini's position on using SPF to identify spam:

    Postini has investigated SPF and has decided not to implement it as a
    feature for inbound mail processing. Implementing SPF would add
    significant processing overhead without adding any appreciable
    effectiveness to t

  • ... in my last job, we had a lot of clients using Microsofts mail services. M$ gave you basically two choices: Implement SPF or have your mails delivered to the spam folder or refused. So, we made our DNS provider add SPF records and the problem was gone.


  • I'm "kinda" using it, in that yes, I setup an SPF record for my domain at work, but I'm not actively checking the SPF records of any incoming mail. I kinda question whether it's of any use at all. I set up our record because it seemed the wise thing to do, but honestly given how many domains don't have SPF records setup I'm not sure ANYONE is actively checking them for incoming mail. Without more usage the system is kinda useless.

  • The only times I've come across SPF servers it's been an employee at my company asking why they got an email from a foreign server 'warning' them that because _we_ don't use SPF there's something wrong with _our_ email system.

    1. If everyone isn't using it, it's not a standard.

    2. Soft-warnings to uneducated people result in busy-work for IT people. Worse yet, try explaining to a marketing person that no, in fact, OUR email system works fine, it's the remote guy's server that's got the issue.

    SPF is a good ide

  • for incoming mail to a college campus with 3,000 students, and I presume outgoing. Nobody complains. (I did have one complaint, and it was weird. Not at all related I don't think, but it was "My mail's not getting through.")


  • I use greylisting to reduce spam volume, and I whitelist outgoing mail servers for domains that a) have trouble with greylisting and b) publish SPF records. In other words, I use SPF given existing trust for a particular domain, but only if not relying on SPF causes problems. I thought I hadn't set up SPF records for my own (vanity) domains, but apparently I have... not that I particularly notice. It's just not a big deal.

  • SPF vs. DKIM/DK (Score:3, Interesting)

    by buss_error ( 142273 ) on Thursday December 17, 2009 @11:41PM (#30483294) Homepage Journal

    I run a server farm somewhere between a /14 and a /17.

    All authorized mail servers have SPF records. Ranges that clearly have no legitimate business sending email are clearly identified with XXX-XXX-XXX-XXX.dynamic.TLD and listed with SpamHaus's PBL.

    No servers have DKIM/DK. The software to do so is opaque, testing is difficult to impossible, and the benefits over SPF are unclear at best, dubious at worst.

    On about 1/3 of the servers, all Yahoo email is blocked out of hand due to the disgust and irritation of the server owner over Yahoo!'s blocking/delaying/spam problems. One server owner told me, "My mail TO them is blocked or delayed. But unless I use DKIM/DK, they won't tell me what the problem *is*. Since my own spam load is roughly 40% FROM yahoo!, screw 'em."

    Yahoo!'s insistence on DKIM/DK is highly suspect in the cases, like mine, where a responsive, active abuse desk that will address a spam issue if it's from our clearly identifiable ARIN allocation is available.

    For those customers that choose not to accept Yahoo email, we return an error message generally worded like so:

    "We're sorry, but due to Yahoo! polices we strongly disagree with, we will not accept your email. Please use another email service that doesn't have it's head up it's ass."

    It isn't phrased quite so bluntly, but the flavor is still there.

    When I get complaints that Yahoo! won't take a customer's email, I tell them, "Yahoo! is a free service. Their customers are getting all they pay for. I'd like to help you, but frankly, I can't get them on the phone or to give a reasonable response via e-mail. Your best bet is to require a contact method that refuses or bypasses Yahoo!. They aren't in the business of giving their customers reliable email service."

    Do I have problems? I'm sure I do. But since Yahoo! won't discuss them without jumping through their useless DKIM/DK hoops, I'll just ignore it and move on.

  • SPF is good stuff. (Score:3, Informative)

    by jafo ( 11982 ) on Thursday December 17, 2009 @11:42PM (#30483300) Homepage
    SPF is not an anti-spam measure, it's about preventing hijacking of domains. People often seem to say "but spammers publish SPF records", and that is true, but it doesn't mean that SPF is not effective.

    SPF allows me to publish information about what systems will legitimately send e-mail using that domain. It also allows me to act on that information published by other third parties.

    What this means is that I have to deal with dramatically less backscatter spam. Since implementing SPF, I have not woken up to find 100,000 messages in my box that were bounces or outraged replies to spam sent by someone else. Back in 1995 that exact issue happened to me, and to a lesser degree it happened regularly until SPF.

    There are, of course, some difficulties with SPF, but despite those I have chosen to use and advocate SPF.

    You do have to deal with legitimate third-parties sending mail from your domain. We use an outsourced accounting package and have had to include their servers in our SPF records. No big deal.

    As a recipient, if you have one account forwarding to another, and the destination account implements SPF, then you either need to white-list the forwarding machine(s), or you need to implement SRS there.

    DKIM and it's variants is, IMHO, useless because it only allows you to prove that e-mail came from an authorized sender for a domain, it does *NOT* allow you to tell if e-mail came from an UNAUTHORIZED system for a domain. You cannot use DKIM to tell if a sender address is forging the domain.

    So DKIM is *NOT* a "better SPF". They *ARE* compatible though. If you get a message claiming to be from a specific domain which fails the SPF check, you probably still want to allow it if it passes DKIM. I don't know of any mail programs that do that though. The unfortunate thing about this is that SPF-only can be implemented entirely at SMTP time (RECV FROM) where SPF+DKIM would have to be implemented after receiving the message (after DATA).

  • I currently use SPF, and am thinking about dropping it. It causes me a massive pain in my ass every time some dumbass with a misconfigured forwarder doesn't understand SPF or SRS, and tries to blame me for the fact that they can't receive email from me. There just aren't enough large sites sending SPF-enabled mail for misconfigured receiving sites to realize they're doin' it wrong.

  • and sign their emails with public keys. That way you can store their public keys on your system to verify it is a valid email.

    I really am not sure why PGP or GPG isn't added to Email servers to verify email. Most email clients work with them and if email clients and servers are modified to use PGP or GPG encryption to connect and send out messages and automatically sign them then the servers can verify the sender via the private key and passphrase and lock out the spammers and scammers. Anyone who does send

  • I have Dreamhost. They provide a copy and paste line for a DNS entry. See http://wiki.dreamhost.com/SPF [dreamhost.com]

    It's one of those things that won't be useful until just about everybody has implemented it. The way it works is by defining which IPs can send email purporting to be from a domain; if you receive an email "from" a yahoo address but coming from some cable modem, you can block it. And as long as not everyone has SPF, you can't just block emails that fail a SPF check...

    So yes - I do use it. But it's mostly a

  • ... the last 3 times we attempted to, we had too many recipients rejecting our e-mails due to broken forwards.

Any sufficiently advanced technology is indistinguishable from a rigged demo.