Are You Using SPF Records? 263
gravyface writes "I've been setting up proper Sender Policy Framework records for all my clients for past year or so, hoping to either maintain or improve their 'reputation' in the email universe. However, there's a lot of IT admins I speak with who either haven't heard of SPF records or haven't bothered setting them up. How many of you are using SPF records for your mail domains? Does it help? How many anti-spam vendors out there use SPF records as part of their 'scorecard'?"
Yes. (Score:2)
Re:Yes. (Score:4, Interesting)
Re: (Score:2)
Re: (Score:2)
Your mother is homeless, you insensitive clod!
I use them (Score:2)
Re: (Score:2)
Ditto.
Comment removed (Score:5, Interesting)
yes (Score:5, Interesting)
it has cut down tremendously on the spam claiming to be from my domains.
any other benefit I am unaware of.
Re: (Score:3, Informative)
If you're using a lack of SPF records as a determinant in whether or not a message is spam, then I can guarantee you that you're losing mail to false positives. Maybe that isn't a big deal to you, but for the organization I work for, it would be absolutely nuts. The chief reason I have SPF records for my domains is so that the big boys like hotmail.com and GMail don't reject my emails. I use greylisting as my chief anti-spam weapon, and it's far more reliable and far more effective than SPF.
Re: (Score:2, Informative)
Folks who do a lot of mail find out the hard way that without SPF records, there are plenty of places that bounce them. I've had them on my domains for years.
For my old network, where we got a huge amount of spam, we used both graylisting and our own custom blacklist. I didn't trust the blacklist providers, so we did rolling blacklists based on the amount of detected spam (with mailscanner and friends), which worked with the firewall. It set it's own firewall rules, so all t
Re: (Score:2)
Agreed with both your post and the GP !
I publish SPF records for all my domains for which I know *for sure* the IPs from which mail might be sent from and I take care of using the -all qualifier which is FAIL ( NOT SOFTFAIL which uses a tilde ). This is telling other mail servers using SPF to refuse the email when not coming from the published list of IPs.
I barely take SPF into account to filter incoming email for basically the same reason you have mentioned.
Oh, I do not use greylisting because having email
Re:yes (Score:5, Insightful)
Read again.
Spammers can’t use his domain to forge spam, because SPF-aware mail servers reject it. Hence, he doesn’t have to deal with tons of bounces, spam warnings, virus warnings, etc..
Re: (Score:2)
The chief reason I have SPF records for my domains is so that the big boys like hotmail.com and GMail don't reject my emails.
I set up SPF records properly, hoping that mails from our domain are not blocked or bounced. It works a little bit, but my frustration has not reduced that much. Now, I don't care any more, the SPF records are still there, but that's all.
The big boys are actually quite nice, and they do care about that. I got in touch with their admins, they did a verification (quite fast, I must s
Re: (Score:3, Interesting)
> in whether or not a message is spam, then I can guarantee
> you that you're losing mail to false positives.
Yeah, that's not how you're supposed to do it. No SPF record means "I don't know whether this is a valid sender for this domain or not", so you fall back to whatever other method you have for making the determination.
Traditionally, the "other method" generally meant accepting everything and letting the users sort it out in the inbox, bu
Re: (Score:2)
Greylisting has problems too. Not least, it causes delays, which can run into multiple minutes.
That's why I recommend no-listing. Basically you have the first and last MX record point to nowhere, which gets rid of lots of spammers not doing proper MX traversal and retries. The "real" MX entries are "hidden" in between the no-listing ones, priority-wise.
For proper mail servers it's no slowdown at all, while spammers get shot down right off the bat.
Re: (Score:2)
Well, I don't know about right now, but as of about 2 years ago any email I sent from my domain silently disappeared when sent to gmail and hotmail. It didn't even go into the users spam folder, just disappeared. Adding an SPF record fixed it. So maybe you're right, they don't "reject" the mail, they just ignore it.
I use it (Score:2)
Yes, and it's not very effective in the places that matter. My school has recently transitioned to Zimbra, which has been automatically sending anything from any of my domains into the Spam folder. (I also have DKIM set up, but that didn't help. As far as I know my IP isn't on any blacklists, so it should be getting through fine.... )
Re: (Score:3, Interesting)
Where is logic in that?
Two facts:
- you use SPF for own domains
- your shool's Zimbra installation scores mails from your domains as spam
Based on above facts how have you come to conclusion that SPF doesn't work in general? The fact that your school's Zimbra scores your mail as spam is just a single cases and most probably not related to SPF in general.
Have you looked at headers of these message marked as spam? Have you contacted the postmaster?
Re: (Score:2)
I should have added that this is just my personal experience. I have looked at the headers, but they are gibberish to me that I can't find information on via Google (X-Spam-Track in particular). As far as contacting the postmaster, I received the helpful reply to have all recipients whitelist my domains in their filters.
I use them, but mainly for deniability (Score:2, Insightful)
Re:I use them, but mainly for deniability (Score:4, Interesting)
And yet none of these solutions will actually do very much good at all. This was all hashed over several years ago. SPF, DomainKeys and so forth are little more than feel-good half-measures. If the sole reason you're using any of them is so that Google doesn't reject your email, then I think that's pretty much demonstrated the worthlessness of them.
Re: (Score:2)
nope... (Score:5, Funny)
It's winter so there isn't much sun or exposed flesh to worry about. My record for SPF is 50 when I'm bicycling in the noonday sun in the summer.
http://en.wikipedia.org/wiki/Sunscreen
Re: (Score:2)
Yes (Score:3, Insightful)
But I can tell that Hotmail still ignores SPF since almost all the backscatter that still comes through is from Hotmail. They should know better.
Having valid SPF records also helps outgoing mail get through. I would frequently have to deal with large ISPs that would flag my mail or my domain as a spam source, based on their misinterpretation of forged headers. But since I have SPF records in place, this has not happened. I also check incoming SPF. If the SPF check fails, the mail is dumped. If SPF passes or there's no SPF, it goes through. Works great as one step in spam control.
Re: (Score:2, Informative)
But I can tell that Hotmail still ignores SPF since almost all the backscatter that still comes through is from Hotmail. They should know better.
I believe you, but really? Hotmail was THE reason I've implemented SPF for a few domains connected to sites that send alert emails to users. Nothing - from email confirmations to status update type stuff - was getting through to Hotmail accounts until I set up SPF. Some kind of Left Hand / Right Hand mess going on over there?
Hosting Services don't make it easy... (Score:2)
SPF has been around for at least a couple of years, but at least one very large hosting provider - hostgator.com - hasn't made it any easier to implement. They still require that you email them and request that they set it up for you.
http://forums.hostgator.com/custom-mx-and-spf-records-t58820.html [hostgator.com]
no (Score:2)
Re: (Score:3, Informative)
Got it on Google's advice (Score:4, Interesting)
Four years ago, I got hit by a Joe-job, i.e. some spammer used my domain in the 'From' field. I deleted the thousands of resulting messages in the following days and then didn't think about it anymore.
Two years ago, I shut down my mail server and moved it to Google Apps. Basically it involves creating a Google Apps account which tells you to point your domain its MX (mail exchange) records to GMail. The second, optional, step was to add SPF records. I thought about the Joe-job. Since the GMail wizard is good and explains everything, I just executed that step. It's actually really simple.
Anyone else have this experience? I.e. creating SPF records was too easy to just skip it?
Some spam filters score on SPF (Score:3, Interesting)
Some spam filters score on SPF. So not having SPF increases chance of false positives for your legitimate mail when you don't have SPF. And since SPF is free and painless to implement (just few DNS records) I don't see any reason not to use it. Also not like it is something that much significant either.
Re: (Score:2)
I'm running SpamAssassin on Debian, pretty much in default settings (just set it up, training on the go). It checks SPF and scores a little for failures, no points for matching SPF or missing SPF.
That's the few spams that get past greylisting... which in itself blocks about 90% of my spam before it even reaches me.
Bless me server, for I have sinned (Score:3, Funny)
It's been, umm, a very long time since I've been to confession.
It's true, I don't use SPF. I've at least got the TXT line in my DNS hosts file.
But I'm using exim [exim.org], which only has experimental support [exim.org], and I'm too afraid to use something experimental like that.
What should I do, server?
Re: (Score:2)
What should I do, server?
Move to Postfix ;)
On a completely off-topic, well...topic, I love the "#include" in your sig
Anti-spam vendor's perspective (Score:4, Informative)
I work for a major anti-spam vendor.
Yes, SPF records are part of the mix at many anti-spam vendors.
However, they aren't part of reputation. Reputation, to describe it simply and without giving away any secrets, is determined by the kind of mail a host or network emits. Whether it has SPF records and/or DKIM-signs its mail does not affect reputation; if you emit junk, your reputation will be junk.
SPF and (moreso) DKIM have value in assessing whether a given mail is a forgery or not (think phishing and related scams). They are not weighted overly much, since people do foolish things like put their work email address into their webmail account all the time, and it causes FPs, for some value of false positive. That is, it's not an FP per se, but the mail is technically legit, so dropping it on the floor isn't the desired action.
In short, don't expect having SPF and DKIM to improve your deliverability much, if at all. That's not where the value-add is. The value-add is helping to separate the sheep from the goats among mail that purports to be from your domain. If you want recipients to be able to (theoretically, since most of them don't/won't check) have greater confidence that a mail that claims to have come from your organization really did so, then yes, implement both SPF and DKIM.
If you're an organization whose customers might be phishing targets, definitely do both. Orgs I've seen targeted for phishing include financial institutions of any size (even a single branch!), various government agencies, educational institutions (not just universities, either), BBB, auto clubs, World of Warcraft accounts, Vonage, Craig's List, all the free webmail providers. If it has a login, and anything a phisher could find to be of value (for practically any value of "value"), there will be phishing attempts.
If your company is one of those - or even if it's not, really - I recommend both SPF and DKIM.
Re: (Score:3, Interesting)
Re: (Score:2)
"people do foolish things like put their work email address into their webmail account"
Why do webmail providers allow this? In fact, why would a webmail provider allow you to specify any "From:" address other than the user's actual webmail account?
Re: (Score:2)
if you emit junk, your reputation will be junk.Yeah, well how do you tell what is junk? I operate a 100% legitimate email list. ALL THE TIME, I get people who click "this is spam" in gmail or hotmail or yahoo. At least 2-5 every email list run. Why? My list isn't spam. It's just that people get tired of the emails, and they would rather not click on "unsubscribe" and instead click on "spam". They volunteered for the emails! And meanwhile yahoo/gmail/hotmail take this as a vote that my email list is
Better for Sent Items then Received (Score:5, Informative)
I use them, and what I've found is that they have a very marginal effect (if any) on spam catch rates on your inbound mail. However, they do have a great side benefit. They significantly reduce backscatter, keep yourself off of blacklists, and provide some control of you, your employer, or your client's identity on the web. SPF records provide a mechanism to limit who can spoof as you (as long as recipient servers adhere to them). If you have a risk to yourself or interested parties that someone might spoof your domain (banks!), then SPF provides a means to insure the chain of custody (to an extent).
I do think overall SPF has helped to prevent forged domain letters, but those are less and less common (for those that publish spf). The spammers now either rely on forged domains without DKIM or SPF (why not use both!!) or they send from their own controlled botnet domains and publish legit SPF for themselves as well.
dkim; convincing individual mail providers (Score:3, Informative)
DKIM (formerly known as Domain Keys) is more sophisticated and worth looking into in addition to SPF. I'm using an implementation called DKIMproxy, which runs as a daemon and is specifically designed to work with postfix. I've been fairly happy with it. What's helpful about it is that if I get mail from someone who implements DKIM, I can be sure that it's really from them, and likewise if I get joe-jobbed, I can convince the recipient that the spam wasn't actually from me. The biggest and best known users of DKIM are gmail and yahoo, but I'm seeing it used elsewhere as well. For example, I recently got spam from lulu.com, and the good news was that it was DKIM-signed, so I could be sure it wasn't a joe job.
I understand what you mean about establishing a good reputation in terms of the email you send. Actually many of the big email providers have a policy of blacklisting all domains by default these days, and waiting for the domain operators to contact them and ask to be allowed to send mail to them. Both AOL and yahoo seem to do this. With yahoo, you can fill out a form to convince them you're not evil, and if the info on the form satisfies them, they stop blacklisting you. One of their criteria is that they're more likely to approve you if you implement DKIM. If you tell them you're using DKIM, then they won't accept mail from your domain that isn't DKIM-signed; this is to your advantage, because then their users won't be clicking on the spam button on mail that claims to be from you but isn't.
Re: (Score:2)
With yahoo, you can fill out a form to convince them you're not evil, and if the info on the form satisfies them, they stop blacklisting you.
Your post advocates a
technical (*) legislative ( ) market-based ( ) vigilante ( )
solution... aaah, never mind.
SPF is usless (Score:2)
Its not helpful in reducing SPAM unless or until every uses it. Why because you can't toss out mail from domains without SPF records you'd loose to much HAM. You can only uses it to detect and reject spoofs from domains with SPF.
Its not good as an anti spoofing technique in general because there are lots of ways you could make it look like you were sending from the correct host. Possibly in conjunction with DNSSEC (something only being slowly adopted) and some enhancements to BGP you could get there buy
Re: (Score:2)
You solve that issue by running your SPF DNS records with a TTL of about 2 hours (or maybe 4 hours). Even in the freak accident category, I'm hard pressed to come up with a situation where your primary mail server goes up in flames (or the outbound ISP goes up in flames) and you can'
One Word (Score:2)
"Katrina"
Remember that huricane? Nocked lots of companies offline for more then 4 hours and people couldn't change an SPF record if they wanted to due to the evacuations. Another was Loma Prieta in 1991 during the World Series Game. San Francisco, CA 6.9 Earthquake with lots of damage. Another was the St. Helens Eruption in Washington. I could go on but I think you've got the message, which is Natural Disasters. These could affect large areas and result in SPF being absolutely useless because people simply
Yes (Score:2)
I use it on all my domains, and check it on all inbound mail. I especially make sure i define no servers are valid for several domains I have that are web pages only, or use for throwaway e-mail addresses (i receive e-mail at that domain, never send from that domain.)
I do support a domain hosted on google apps and setting it up for that ends up with a less firm ~all option that allows bogus senders to slip through.
I can see SPF fails in my logs so it looks like many other domains are using it as well.
Nope (Score:5, Interesting)
I don't use them personally and we have very few customers at my current job that will request them.
I used to work for an anti-spam company and the request would come in from time to time to have SPF checking built into our appliances. As developers, we did see the benefit of it. But at the time, there was the SPF vs SenderID vs Domain Keys battle going on. Who would win out?
As it appears years later, no one really did.
The problem with the technology is adoption rates. Unfortunately, many of these technologies are not being adopted by the masses. I'm not saying its hurting you by having these in place, but it also might not be doing as much good as you think that it is.
Re: (Score:3, Informative)
A quick check of mail volume:
151,000 messages checked in the log files that I looked at
58,800 (39%) did not have SPF records ('none')
So 61% of our inbound mail has SPF records that we can test. That is a pretty decent rate of adoption. (Note that
They help, but only slightly! (Score:2, Interesting)
Re: (Score:2)
We ran with ~all for a few years, but have recently switched everything over to -all.
So far, I've seen only 1 or 2 false positives where the SPF check failed - even when sent from our own mail servers. I'm guessing that the destination mail server had DNS troubles when it tested our message.
We've also started 5xx (rejecting) at SMTP time if the inbound message fails its SPF check. SPF has been around for long enough at this point,
Sometimes, sometimes not (Score:2, Redundant)
In the summer I like to use SPF-15 or higher. In the winter it's pretty cloudy around here, so I don't bother.
Yes! Prevents forged Froms (Score:3, Informative)
SPF is great. It's one of the technical means of making sure that the IP address that is trying to send you a message is authorized to use the sender that it claims to be from. That means you can automatically reject spam that claims to be from any of the big mailers.
One common problem right now, is misconfigured mail servers. An e-mail admin configures the SPF entry in DNS, and then forgets about it. Then they change their IP address, or they outsource their e-mail to a third party, and suddenly, SPF is saying that all of their legit mail is not legit. The other problem is when a company has (for example) an order fulfillment system that generates its own e-mails, instead of routing them through the proper mail server. If that system isn't identified in the SPF entry, those messages can be rejected.
Another "problem" is when organizations send messages on behalf of other individuals or organizations (like the legit message that avon.com tried to send me this morning that was being generated by filltek.com, but without the permission of avon.com's SPF entry). I put "problem" in quotes, because really, third party messaging services should not forge the From line of the message.
On the other hand, it's great, in that it blocks all those stupid e-cards, because they claim to be from your.friend@gmail.com, when really they're being sent by stupid-e-card.com.
The biggest problem is dealing with "forwarding" services, like your @acm.org e-mail address. On my server, I have to keep a list of domains that "bypass" SPF checks, because any message sent to a forwarded address is going to arrive at your mail server from the forwarded (i.e. mail.acm.org), but it's going to have the header information associated with the original message. OpenSPF.org talks about some ways to deal with this, but I haven't look at it in a while.
Since SPF is still not universally accepted, it has a "soft fail" option that you can use for testing, until you're sure that it works the way you want it to. It's not the be-all-and-end-all, but it is a useful piece of the puzzle.
Now to get sites to read the SPF records. (Score:2)
I have strict "-all" SPF records on all my web sites. But I still get mail bounces from joe-jobs that the recipient host should have rejected during the SMTP session from the spammer.
It's caused us some problems. (Score:2)
I work for an organisation that has a private email system (private as in hardware, network lines). SPF works fine on that, though is also redundant. However, the network is accessible to other networks (ie the internet, as in, people can send mail to regular mail addresses, and vice versa), and SPF breaks here.
Due to the jump to the network, the "sender" is always the provider who handles said connectivity, where our area of the private network touches the internet. Thus we've had to completely disable S
Yes & Yes (Score:3, Interesting)
Yes, I use SPF to identify the MX's of three domains I own, and Yes I use SPF as one of the things SpamAssassin uses for identifying spam. Granted these domains are tiny in the grand scheme of things (one is for family, one for some shareware I wrote, and one for a non-profit my brother is involved in), but it definitely helps. I wrote a script that sends me monthly stats of spam, and here are the results for the last month:
sa score : 1 messages :299 :194 :235 :299 :477 :597
sa score : 2 messages
sa score : 3 messages
sa score : 4 messages
sa score : 5 messages
sa score : 6 messages
sa score > 10 messages : 31678
highest sa score = 57
total probable spam (sa score of 5 or more) : 32752
total spam blocked outright by sa : 37110
e-mail blocked via SPF : 3007
Unique IP's that passed SPF check : 1389
We only block spam if the SpamAssassin score is above 10, but we tag anything above 5 as spam so the end users can decide what to do with it. As far as SPF goes, in the last month over 3000 bogus e-mails were dropped due to SPF failures, and 1389 other e-mails that were accepted were approved in part because the domains had SPF records that passed the check.
I've been using SPF for several years... (Score:2)
...in conjunction with my DynDNS vanity domain. When I first set it up, there was a rush of backscatter, then it tapered off and went away, never to return.
More recently I've started having problems of a different sort. I've been on a certain mailing list for over a year, though not posting very often. Last week I posted to a thread, and got an SPF violation notice from what looks like AOL in Australia, on behalf of someone with 2 apparent domains, neither of which is AOL. The violation notices seem to
I set up SPF and regret doing so (Score:2)
I set it up and regret it. First, it broke things for one of my correspondents (at least this one — who bothered to tell me about it), who forwards all e-mails to his cell-phone. Because the messages are forwarded by his e-mail provider, but appear as if from me, his cell-phone service rejects them — because his e-mail provider is not listed in my SPF-record. So, he finds my messages in his mailbox, but is not alerted about them (as he is used to) by his phone...
Then, it turned out, my SPF-rec
Why/What I use SPF for ... (Score:2)
SPF serves multiple purposes for me.
Why I add SPF records to our DNS servers:
First and formost, it tells everyone who my mail senders are and that they should only accept mail from my users from those servers. Thats really all it does, but that results in the following things for me:
My remote users always configure their outbound mail server as our gateway, rather than their own ISP or something like that, which means that all that mail piping through me means I can do all sorts of sanity checking on the s
We publish and use SPF records (Score:2)
We both publish and use SPF records. We publish them in an attempt to limit backscatter from joe-jobs, but that's not very successful. Nevertheless, I like the idea of being able to declare which machines are legitimately allowed to send mail for my domain.
We also use SPF records, but in a careful way. We add lots of points for SPF "fail" results from certain domains like paypal.com, ebay.com, etc. We add a moderate number of points for SPF "fails" from domains not in that list. We subtract points fo
Yes and it helps (Score:2)
I use them for all the domains I manage (maybe about 200+ domains) and forged spam has disappeared since. It doesn't take that much time to set it up, so why not do it?
Re: (Score:2)
Only once ... (Score:2)
... in my last job, we had a lot of clients using Microsofts mail services. M$ gave you basically two choices: Implement SPF or have your mails delivered to the spam folder or refused. So, we made our DNS provider add SPF records and the problem was gone.
Tux2000
Kinda (Score:2)
I'm "kinda" using it, in that yes, I setup an SPF record for my domain at work, but I'm not actively checking the SPF records of any incoming mail. I kinda question whether it's of any use at all. I set up our record because it seemed the wise thing to do, but honestly given how many domains don't have SPF records setup I'm not sure ANYONE is actively checking them for incoming mail. Without more usage the system is kinda useless.
Screw SPF and the admins who use it (Score:2)
The only times I've come across SPF servers it's been an employee at my company asking why they got an email from a foreign server 'warning' them that because _we_ don't use SPF there's something wrong with _our_ email system.
1. If everyone isn't using it, it's not a standard.
2. Soft-warnings to uneducated people result in busy-work for IT people. Worse yet, try explaining to a marketing person that no, in fact, OUR email system works fine, it's the remote guy's server that's got the issue.
SPF is a good ide
We use sender-ID (Score:2)
for incoming mail to a college campus with 3,000 students, and I presume outgoing. Nobody complains. (I did have one complaint, and it was weird. Not at all related I don't think, but it was "My mail's not getting through.")
--Sam
a bit (Score:2)
I use greylisting to reduce spam volume, and I whitelist outgoing mail servers for domains that a) have trouble with greylisting and b) publish SPF records. In other words, I use SPF given existing trust for a particular domain, but only if not relying on SPF causes problems. I thought I hadn't set up SPF records for my own (vanity) domains, but apparently I have... not that I particularly notice. It's just not a big deal.
SPF vs. DKIM/DK (Score:3, Interesting)
I run a server farm somewhere between a /14 and a /17.
All authorized mail servers have SPF records. Ranges that clearly have no legitimate business sending email are clearly identified with XXX-XXX-XXX-XXX.dynamic.TLD and listed with SpamHaus's PBL.
No servers have DKIM/DK. The software to do so is opaque, testing is difficult to impossible, and the benefits over SPF are unclear at best, dubious at worst.
On about 1/3 of the servers, all Yahoo email is blocked out of hand due to the disgust and irritation of the server owner over Yahoo!'s blocking/delaying/spam problems. One server owner told me, "My mail TO them is blocked or delayed. But unless I use DKIM/DK, they won't tell me what the problem *is*. Since my own spam load is roughly 40% FROM yahoo!, screw 'em."
Yahoo!'s insistence on DKIM/DK is highly suspect in the cases, like mine, where a responsive, active abuse desk that will address a spam issue if it's from our clearly identifiable ARIN allocation is available.
For those customers that choose not to accept Yahoo email, we return an error message generally worded like so:
"We're sorry, but due to Yahoo! polices we strongly disagree with, we will not accept your email. Please use another email service that doesn't have it's head up it's ass."
It isn't phrased quite so bluntly, but the flavor is still there.
When I get complaints that Yahoo! won't take a customer's email, I tell them, "Yahoo! is a free service. Their customers are getting all they pay for. I'd like to help you, but frankly, I can't get them on the phone or to give a reasonable response via e-mail. Your best bet is to require a contact method that refuses or bypasses Yahoo!. They aren't in the business of giving their customers reliable email service."
Do I have problems? I'm sure I do. But since Yahoo! won't discuss them without jumping through their useless DKIM/DK hoops, I'll just ignore it and move on.
SPF is good stuff. (Score:3, Informative)
SPF allows me to publish information about what systems will legitimately send e-mail using that domain. It also allows me to act on that information published by other third parties.
What this means is that I have to deal with dramatically less backscatter spam. Since implementing SPF, I have not woken up to find 100,000 messages in my box that were bounces or outraged replies to spam sent by someone else. Back in 1995 that exact issue happened to me, and to a lesser degree it happened regularly until SPF.
There are, of course, some difficulties with SPF, but despite those I have chosen to use and advocate SPF.
You do have to deal with legitimate third-parties sending mail from your domain. We use an outsourced accounting package and have had to include their servers in our SPF records. No big deal.
As a recipient, if you have one account forwarding to another, and the destination account implements SPF, then you either need to white-list the forwarding machine(s), or you need to implement SRS there.
DKIM and it's variants is, IMHO, useless because it only allows you to prove that e-mail came from an authorized sender for a domain, it does *NOT* allow you to tell if e-mail came from an UNAUTHORIZED system for a domain. You cannot use DKIM to tell if a sender address is forging the domain.
So DKIM is *NOT* a "better SPF". They *ARE* compatible though. If you get a message claiming to be from a specific domain which fails the SPF check, you probably still want to allow it if it passes DKIM. I don't know of any mail programs that do that though. The unfortunate thing about this is that SPF-only can be implemented entirely at SMTP time (RECV FROM) where SPF+DKIM would have to be implemented after receiving the message (after DATA).
Sean
I am, but maybe not much longer... (Score:2)
I currently use SPF, and am thinking about dropping it. It causes me a massive pain in my ass every time some dumbass with a misconfigured forwarder doesn't understand SPF or SRS, and tries to blame me for the fact that they can't receive email from me. There just aren't enough large sites sending SPF-enabled mail for misconfigured receiving sites to realize they're doin' it wrong.
Just get everyone to use PGP or GPG (Score:2)
and sign their emails with public keys. That way you can store their public keys on your system to verify it is a valid email.
I really am not sure why PGP or GPG isn't added to Email servers to verify email. Most email clients work with them and if email clients and servers are modified to use PGP or GPG encryption to connect and send out messages and automatically sign them then the servers can verify the sender via the private key and passphrase and lock out the spammers and scammers. Anyone who does send
Yes, but no (Score:2)
I have Dreamhost. They provide a copy and paste line for a DNS entry. See http://wiki.dreamhost.com/SPF [dreamhost.com]
It's one of those things that won't be useful until just about everybody has implemented it. The way it works is by defining which IPs can send email purporting to be from a domain; if you receive an email "from" a yahoo address but coming from some cable modem, you can block it. And as long as not everyone has SPF, you can't just block emails that fail a SPF check...
So yes - I do use it. But it's mostly a
No, we don't use SPF (Score:2)
Re:No, and I won't (Score:5, Informative)
Unless something has changed in the last few years, DKID doesn't verify that the server is allowed to send email for that particular domain, just that the email itself wasn't tampered with which has its own issues. For instance, while it does verify that the message hasn't been tampered with, it does not help people that are sending legitimate cold emails to a server of say the sales rep for the company.
My point here being that any technology has issues when one tries to use it in a way for which it isn't designed, but saying that because it can be used improperly that it's therefore dangerous is an argument which lacks merit.
Re:No, and I won't (Score:4, Interesting)
Actually, DKIM can be used to guarantee a sender. We're using DKIM here with ADSP. That is:
_adsp._domainkey TXT "DKIM=ALL"
tells a receiver that all emails from our domains should be signed. Since the keys themselves are published in our DNS, a machine not under our control should not be able to send an email purporting to be from our domain.
I'm not sure but I would think that mechanism would make SPF irrelavent. Assuming antispam software actually checked the adsp dkim records.
Re:No, and I won't (Score:4, Interesting)
How would that work with trusted partners who may send mail on your behalf? With SPF I can use an include:xxx to define relationships with other systems. With DKIM it seems I would need the partnered system to stamp the sent mail or relay off of our originating servers for DKIM attribute addition (something that might not always be possible). Is there an elegant workaround?
Re: (Score:2)
I understand that, but it still doesn't address the include:xxx condition I outlined above. If we use an application service provider that sends email on our behalf, I have to get that provider to setup a custom header in the outbound email with a private cert I have generated for them. With SPF I can simply use an include: xxx to specify that I also trust vendorx.com to send mail for mydomain.com. I was inquiring if there is a facility for DKIM to support such a mechanism, which it doesn't seem like the
Re: (Score:2)
Re: (Score:2)
No, its being said that setting up signed E-mails hosted by third parties can be a royal pain. I relay mail for my customers as one of those third parties and working out who has control of the domain vs. E-mail vs. apps sending E-mail is a nightmare sometimes.
There's no necessity that a customer does their own domain work, or even controls their own E-mail system, and then wants us to send E-mail on their behalf from their domain, when their domain uses SPF and signed records.
Re: (Score:2, Informative)
Of course, people to whom email is just another way to make a quick buck may have different ideas.
Re: (Score:2)
We don't use the records where I work (too many uncertainties about where government e-mail is coming from, which is a stupid reason to not do it), but we do check them. Except for a few isolated cases of people sending corporate mail via their cablemodem/DSL SMTP servers and the case of ValueWeb[1], we rarely have any problems with it, and drop several tens of thousands of messages per day. That's out of about 2 million dropped or rejected connections, so it's a small fraction, but every bit helps where
Re: (Score:2)
(Keeping in mind that we implement a few checks before this point, such as testing HELO records for RFC compliance and a basic DNSBL. So the really screwed up senders are already filtered out.)
Re: (Score:3, Interesting)
We do something similar. Bad HELO/EHLO? Disconnected and blackholed for an hour. It then goes against three RBLs, Spamhaus being the most effective. For what we pay, it is by far the best value of the entire system. Anyway, anything matching that is blackholed for an hour. Then we check for spoofed addresses, then SPF records. After that, it's sent on to the anti-spam systems. We figured last that we block about 92% of all attempts to send messages, between dropped connections, rejections, and quara
Re: (Score:3, Informative)
The domain name given in the EHLO command MUST be either a primary host name (a domain name that resolves to an address RR) or, if the host has no name, an address literal, as described in Section 4.1.3 and discussed further in the EHLO discussion of Section 4.1.4.
If your mail server talks to the outside world, it must introduce itself properly. There's no wiggle room there.
You ARE asking people to throw away your own email (Score:4, Interesting)
The thing is that due to forwarding and vanity servers, you ARE asking people down the wire (which you can't predict and have NO control over) to throw away mail you sent. When you send to a buddy's vanity domain (that you don't know is a vanity domain) and it forwards your email to their ISP or work account that does check SPF records, your mail gets ditched. And you usually won't get any notice, so your email just disappears.
Using SPF increases the likelihood of your email getting sent into the ether to not return.
The SPF folks themselves acknowledge this as an issue and recommend using SRS to combat it. Of course, since no one uses SRS, it's still an issue.
Re: (Score:3, Interesting)
His protest is without teeth. If he really objects to the concept of SPF, then he should publish an SPF record of "?ALL". That way, people will know he's just not being apathetic.
Re: (Score:2)
So the argument is that because you can't forward mail, SPF is broken.
Forwarding mail is almost entirely unnecessary. Every major webmail provider allows you to get mail from third party accounts via POP3/IMAP. Rather than forward mail just fetch it like any other client. It doesn't need anything to be upgraded, works reliably and allows you to use SPF verifying the hosts permitted to send mail from your domain.
Re:No, and I won't (Score:4, Interesting)
While I can see the reason for your points, I don't agree with the conclusion.
The fact is that implementing SPF comes with a bigger responsibility to account for every machine your email might be sent from. No doubt this can be a big pain and imply compromise.
I have implemented SPF and for me the big downside is that OTHERS don't check it and pay attention to what I've implemented. I still get bounced email which the receiver SHOULD have ignored as forged because it failed SPF checks, but they didn't and bounced it to me anyway.
So my complaint is that being responsible hasn't bought me as much as it should have.
Re: (Score:2)
But due to RFC 1123, if you place another mail server's hostname in the "MAIL FROM" line, you are committing forgery, regardless of any ad-hoc justification you may come up with for "permitting" it.
I don't see that in RFC 1123. Can you be more specific? I could easily have missed it.
Re: (Score:2)
Please bear with me, I'm confused.
RFC 821 has specific requirements about the return path, then RFC 1123 says those are void, and so the conclusion is that RFC 1123 says they're still intact?
I often send email from my servers on behalf of third parties, with the return path being the email address of the third party, because that's where I want the bounces to go. Is this illegal according to RFCs currently in effect?
Re: (Score:2, Informative)
rfc1123 removed the relay function whereby your mail server may list other server's names in the return path.
The replacement is that only your mailserver is listed in the MAIL FROM entry. The RFC never said anything about adding some other server's address to a MAIL FROM line, that was never allowed by the standard. Your mail server can only add its own address as it is known to the mail server it is sending to period (for a new mail from: line).
To list the address in MAIL FROM: means that you (th
Re: (Score:3, Informative)
This is utter nonsense and a major misunderstanding of the standard on your side. Also RFC821 was deprecated by RFC2821 eight fricking years ago. It is telling that you apparently did not know th
Re:Use DomainKeys.. (Score:5, Insightful)
I don't have DomainKeys set up, and I've never had any difficulty getting mail to users of any of those services.
Re: (Score:3, Informative)
I don't have DomainKeys set up, and I've never had any difficulty getting mail to users of any of those services.
Does your mail server deliver tens of thousands of messages per hour to those services? If you're talking about the occasional email, you're probably not hitting the threshold at which your delivery will be affected.
Re: (Score:2)
I don't have DomainKeys set up, and I've never had any difficulty getting mail to users of any of those services.
Does your mail server deliver tens of thousands of messages per hour to those services? If you're talking about the occasional email, you're probably not hitting the threshold at which your delivery will be affected.
Some of my servers have been flagged at about 100 emails a day to multiple users at yahoo. Hotmail seems to be around the same too.
Yahoo even sends you a message saying they've blocked you and to check out their website for options.
Re: (Score:2)
The one I manage at work doesn't have DomainKeys, and it does send tens of thousands of messages an hour to those services. We get deferred by Yahoo regularly, but that's about it.
Re: (Score:3, Interesting)
I'll second that. Y! defers everybody, it's just a fact of life. But I send about 2 million emails a day to the big-5 and don't use DKIM. I hope we don't end up having to, b/c it sounds like a real PITA.
Re: (Score:2)
MSN/Hotmail's postmaster guidelines don't seem to mention DomainKeys, but do mention SPF:
http://postmaster.hotmail.com/Guidelines.aspx [hotmail.com]
"4. Authenticate your outbound e-mail: Publish Sender Policy Framework (SPF) records"
Re: (Score:2)
This is nonsense, at least for Gmail. I have no difficulty sending to their domain from unregistered hosts.
SPF is not an anti-spam tool: it's an anti-spoofing tool. It also helps prevent 'backscatter' from certain types of forged spam, the bouncing of forged emails from scattered SMTP servers around the world, because its classic form blocks the message before it is even fully transmitted when the bounce address is published. It still has issues with sites that do email forwarding, since most of them simply
Re: (Score:2)
I send mail to these services without DomainKeys. In fact, we started getting bounces from them saying we don't have a SPF record for our domain. I've added one for our domain and haven't had any issues since.
Re: (Score:2)
First off, your mail server has to follow RFCs regarding HELOs [ietf.org]. That means it has to be a valid HELO name, has to be a FQDN, and it has to map back to an address in a public DNS A/MX record. (We do *not* check beyond that as per the RFCs due to mail servers often being multi-homed and the IP address in the DNS record frequently won't match the IP address of the server that's talking to us.)
The HELO checks are cheap and will block 10-20% of inbound connections. Make sure you
Re: (Score:2)