Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Are You Using SPF Records?

timothy posted more than 4 years ago | from the spf-50-should-be-enough dept.

Communications 263

gravyface writes "I've been setting up proper Sender Policy Framework records for all my clients for past year or so, hoping to either maintain or improve their 'reputation' in the email universe. However, there's a lot of IT admins I speak with who either haven't heard of SPF records or haven't bothered setting them up. How many of you are using SPF records for your mail domains? Does it help? How many anti-spam vendors out there use SPF records as part of their 'scorecard'?"

Sorry! There are no comments related to the filter you selected.

No, and I won't (1, Interesting)

XanC (644172) | more than 4 years ago | (#30481462)

SPF is harmful [woodhou.se] .

Re:No, and I won't (4, Informative)

hedwards (940851) | more than 4 years ago | (#30481582)

That's some nice FUD you've got there. There are some valid points, but the basis for the page is inaccurate. SPF is really meant to be used in conjunction with some other technology like DKIM. SPF is just meant to ensure that one aspect of the process, that the machine sending the email is allowed to do so. DKIM for instance is meant to verify the contents of the email hasn't been tampered with.

Unless something has changed in the last few years, DKID doesn't verify that the server is allowed to send email for that particular domain, just that the email itself wasn't tampered with which has its own issues. For instance, while it does verify that the message hasn't been tampered with, it does not help people that are sending legitimate cold emails to a server of say the sales rep for the company.

My point here being that any technology has issues when one tries to use it in a way for which it isn't designed, but saying that because it can be used improperly that it's therefore dangerous is an argument which lacks merit.

Re:No, and I won't (3, Interesting)

martok (7123) | more than 4 years ago | (#30481794)

Actually, DKIM can be used to guarantee a sender. We're using DKIM here with ADSP. That is:
_adsp._domainkey TXT "DKIM=ALL"
tells a receiver that all emails from our domains should be signed. Since the keys themselves are published in our DNS, a machine not under our control should not be able to send an email purporting to be from our domain.

I'm not sure but I would think that mechanism would make SPF irrelavent. Assuming antispam software actually checked the adsp dkim records.

Re:No, and I won't (3, Interesting)

Krondor (306666) | more than 4 years ago | (#30482064)

How would that work with trusted partners who may send mail on your behalf? With SPF I can use an include:xxx to define relationships with other systems. With DKIM it seems I would need the partnered system to stamp the sent mail or relay off of our originating servers for DKIM attribute addition (something that might not always be possible). Is there an elegant workaround?

Re:No, and I won't (1)

edman007 (1097925) | more than 4 years ago | (#30482588)

DKIM gets the public cert through DNS, thus to let someone send on your behalf you can do make a private and public cert for the sender and then host the public cert at sender-month._domainkey.example.com, when they send an email they get the public from a DNS server you control which should be easy enough to segregate from other peoples mail servers.

Re:No, and I won't (1)

Krondor (306666) | more than 4 years ago | (#30482738)

I understand that, but it still doesn't address the include:xxx condition I outlined above. If we use an application service provider that sends email on our behalf, I have to get that provider to setup a custom header in the outbound email with a private cert I have generated for them. With SPF I can simply use an include: xxx to specify that I also trust vendorx.com to send mail for mydomain.com. I was inquiring if there is a facility for DKIM to support such a mechanism, which it doesn't seem like there is.

I can take a hardline with the ASPs and require they allow stamp the mail with my DKIM, but if you're not a large enough customer chances are they will say tough deal with it or go somewhere else.

Re:No, and I won't (1)

edman007 (1097925) | more than 4 years ago | (#30482794)

DKIM verifies the actual message not the server, yes it can be more work to setup, but you end up with end to end security and you can differentiate between different senders on the same IP.

Re:No, and I won't (2, Informative)

Anonymous Coward | more than 4 years ago | (#30481594)

While that article raises valid points, I think it goes too far when saying "If you publish SPF records, you are going to be asking people to throw away genuine email which you did actually send." I am perfectly capable of limiting my mail-sending practices to be compatible with SPF, and I am not personally all that inconvenienced by people with misconfigured email systems trying to do both SPF and forwarding.

Of course, people to whom email is just another way to make a quick buck may have different ideas.

Re:No, and I won't (0)

Anonymous Coward | more than 4 years ago | (#30481600)

All that and the author forgot the number one most important reason why SPF will never work:

Sent by BlackBerry

Re:No, and I won't (0)

Anonymous Coward | more than 4 years ago | (#30482034)

All that and the author forgot the number one most important reason why SPF will never work:

        Sent by BlackBerry

Not at all.

There are many ways blackberries can send email, and most of them can route through the regular SPF authorized servers for your domain.

Re:No, and I won't (2, Interesting)

nsayer (86181) | more than 4 years ago | (#30481880)

His protest is without teeth. If he really objects to the concept of SPF, then he should publish an SPF record of "?ALL". That way, people will know he's just not being apathetic.

Re:No, and I won't (1)

Albanach (527650) | more than 4 years ago | (#30482456)

So the argument is that because you can't forward mail, SPF is broken.

Forwarding mail is almost entirely unnecessary. Every major webmail provider allows you to get mail from third party accounts via POP3/IMAP. Rather than forward mail just fetch it like any other client. It doesn't need anything to be upgraded, works reliably and allows you to use SPF verifying the hosts permitted to send mail from your domain.

Yes. (1)

growse (928427) | more than 4 years ago | (#30481468)

Yes, I use an SPF for my domain. No I don't have any idea how effective it is, because my SPF record is used by other people. I haven't had any complaints about people not getting my mails.

Re:Yes. (3, Interesting)

oatworm (969674) | more than 4 years ago | (#30481944)

Pretty much the same here - SPF records aren't particularly hard to implement, after all. On the receiving side, I just check for SPF failure (i.e. somebody e-mailing from somewhere other than the domain's SPF-registered mail server), and even those just get sent to users' junk mail folders. I'm certainly not bouncing anything because of them. Based on my mail server reports, it looks like the low SPF filtering is catching about 0.5% of the mail volume that flows my direction, which isn't much, but it's 0.5% less than I would be dealing with otherwise and was implemented "for free", so I'm not complaining.

Re:Yes. (1, Redundant)

maxwell demon (590494) | more than 4 years ago | (#30482052)

Do all people you send mails to expect you to send mails to them?
Did you eventually get no answer to a mail you sent to someone you don't normally send mail to?

People won't complain about not getting your mail if they don't have a clue that you sent them any mail.

Re:Yes. (1)

pclminion (145572) | more than 4 years ago | (#30482668)

I communicate with the homeless by thought projection. I like to let them know that they can come over for steak and beer any time they want. I think these thoughts vigorously every night. I have yet to hear any homeless person tell me they are not receiving my messages.

Re:Yes. (1)

PopeRatzo (965947) | more than 4 years ago | (#30482822)

I communicate with the homeless by thought projection.

Your mother is homeless, you insensitive clod!

I use them (1)

NormalVisual (565491) | more than 4 years ago | (#30481476)

I use them for all of my domains, but I can't really see that it makes the first bit of difference.

Re:I use them (1)

Aladrin (926209) | more than 4 years ago | (#30481890)

Ditto.

Re:I use them (4, Interesting)

digitalchinky (650880) | more than 4 years ago | (#30482214)

Not just to add a 'me too' but I recently removed SPF completely - mostly because other people couldn't get their entries correct, or just completely failed to update it when they add in extra servers. Legitimate messages were hitting our spam folders. Since I can't train our fine worker drones to actually look in their spam, I opted just to remove it. With greylisting and spamassassin its removal hasn't made any noticeable difference aside from the false positives now being delivered properly.

What me worry? (1)

P1aGu3ed (979864) | more than 4 years ago | (#30481486)

If you maintain your own public DNS server you have no reason not to include SPF records, however many of the public DNS providers support little more than A CNAME and MX.

yes (5, Interesting)

zeldor (180716) | more than 4 years ago | (#30481538)

it has cut down tremendously on the spam claiming to be from my domains.
any other benefit I am unaware of.

Re:yes (3, Informative)

MightyMartian (840721) | more than 4 years ago | (#30481612)

If you're using a lack of SPF records as a determinant in whether or not a message is spam, then I can guarantee you that you're losing mail to false positives. Maybe that isn't a big deal to you, but for the organization I work for, it would be absolutely nuts. The chief reason I have SPF records for my domains is so that the big boys like hotmail.com and GMail don't reject my emails. I use greylisting as my chief anti-spam weapon, and it's far more reliable and far more effective than SPF.

Re:yes (1, Informative)

JWSmythe (446288) | more than 4 years ago | (#30482080)

    Folks who do a lot of mail find out the hard way that without SPF records, there are plenty of places that bounce them. I've had them on my domains for years.

    For my old network, where we got a huge amount of spam, we used both graylisting and our own custom blacklist. I didn't trust the blacklist providers, so we did rolling blacklists based on the amount of detected spam (with mailscanner and friends), which worked with the firewall. It set it's own firewall rules, so all traffic was dropped from that IP. On the first offense from an IP, it was blocked for a day. If there were multiple spams detected from the same /24, the whole /24 got blocked. If they were repeat offenders, the durations increased. It protected the mail server from about 90% of the spam, and didn't generate a single complaint. There was a tremendous amount of inbound mail also that was legitimate, so we would have had complaints after their automatic block was lifted.

    It also used some honeypotting. Messages to old dormant accounts that only received spam automatically had the sender blocked. It's not like the accounts were a few days unused, we're talking about more than 5 years, and they were some of the highest traffic accounts on the server.

    An offense was carefully defined, so as not to block legitimate traffic. It worked amazingly well. For it to work though, you have to have a high-load environment, that the spammers are already hitting hard. We would receive upwards of 100k emails/day, which was then reduced to 10k and most were legitimate.

Re:yes (1)

ls671 (1122017) | more than 4 years ago | (#30482226)

Agreed with both your post and the GP !

I publish SPF records for all my domains for which I know *for sure* the IPs from which mail might be sent from and I take care of using the -all qualifier which is FAIL ( NOT SOFTFAIL which uses a tilde ). This is telling other mail servers using SPF to refuse the email when not coming from the published list of IPs.

I barely take SPF into account to filter incoming email for basically the same reason you have mentioned.

Oh, I do not use greylisting because having emails delayed by 1 to 6 hours, for the organization I work for, "would be absolutely nuts".

Re:yes (4, Insightful)

Snover (469130) | more than 4 years ago | (#30482252)

Read again.

Spammers can’t use his domain to forge spam, because SPF-aware mail servers reject it. Hence, he doesn’t have to deal with tons of bounces, spam warnings, virus warnings, etc..

Reduced Backscatter Significantly (1, Interesting)

Anonymous Coward | more than 4 years ago | (#30482560)

I didn't used to use SPF records for my domains. I always felt that it was a pretty half-assed way to prevent forged spam from my domain since it required the admins of other mail servers to enable SPF checking in the first place.

Then I started getting a ton of backscatter in my inbox. Just out of the blue, some spammer had decided to start using my domain name for cialis spam and next thing I know, my inbox is flooded with rejected messages bouncing back to me. I set up SPF as kind of a desperation play more than anything else and the backscatter disappeared almost overnight. I'm sure someone out there is still receiving spam which appears to be sent from my domain, but the volume of backscatter I'm getting isn't even a tenth of what it once was. SPF is good for something.

Re:yes (0)

Anonymous Coward | more than 4 years ago | (#30482798)

Nobody rejects mail because there is no SPF record. Obviously you have no idea how it works. Please read up on the subject before commenting next time.

I publish but I don't check them (1)

chrisj_0 (825246) | more than 4 years ago | (#30481556)

I publish spf records. But I don't check them for any incoming mail. I have seen some email rejected by spf checking. Last time was a internal contractor that had our domain's emails forwarded to godaddy hosted email. I would never reject mail based on an spf but I do publish if others if their dumb enough to reject mail.

I use it (1)

Deltaspectre (796409) | more than 4 years ago | (#30481560)

Yes, and it's not very effective in the places that matter. My school has recently transitioned to Zimbra, which has been automatically sending anything from any of my domains into the Spam folder. (I also have DKIM set up, but that didn't help. As far as I know my IP isn't on any blacklists, so it should be getting through fine.... )

Re:I use it (2, Interesting)

kosmosik (654958) | more than 4 years ago | (#30481728)

Where is logic in that?

Two facts:
- you use SPF for own domains
- your shool's Zimbra installation scores mails from your domains as spam

Based on above facts how have you come to conclusion that SPF doesn't work in general? The fact that your school's Zimbra scores your mail as spam is just a single cases and most probably not related to SPF in general.

Have you looked at headers of these message marked as spam? Have you contacted the postmaster?

Re:I use it (1)

Deltaspectre (796409) | more than 4 years ago | (#30482662)

I should have added that this is just my personal experience. I have looked at the headers, but they are gibberish to me that I can't find information on via Google (X-Spam-Track in particular). As far as contacting the postmaster, I received the helpful reply to have all recipients whitelist my domains in their filters.

Use DomainKeys.. (0)

Swift Kick (240510) | more than 4 years ago | (#30481584)

SPF records are easy to implement, but also easy to subvert (as one of the other posters already mentioned in his comment's link).

You should really look into implementing DomainKeys instead, which (while a little more difficult to set up) are almost required if you do any kind of significant email volume.
Yahoo, Gmail, MSN/Hotmail, and AOL pretty much require that you have DomainKeys implemented if you want to email their users, otherwise you'll find yourself on the wrong end of a blacklist someday.

Postfix can easily be set up with DomainKeys support using dkimproxy, check it here: http://dkimproxy.sourceforge.net/ [sourceforge.net]

Good luck!

Re:Use DomainKeys.. (4, Insightful)

NormalVisual (565491) | more than 4 years ago | (#30481682)

Yahoo, Gmail, MSN/Hotmail, and AOL pretty much require that you have DomainKeys implemented if you want to email their users

I don't have DomainKeys set up, and I've never had any difficulty getting mail to users of any of those services.

Re:Use DomainKeys.. (2, Informative)

nacturation (646836) | more than 4 years ago | (#30482104)

I don't have DomainKeys set up, and I've never had any difficulty getting mail to users of any of those services.

Does your mail server deliver tens of thousands of messages per hour to those services? If you're talking about the occasional email, you're probably not hitting the threshold at which your delivery will be affected.

Re:Use DomainKeys.. (1)

Jazz-Masta (240659) | more than 4 years ago | (#30482508)

I don't have DomainKeys set up, and I've never had any difficulty getting mail to users of any of those services.

Does your mail server deliver tens of thousands of messages per hour to those services? If you're talking about the occasional email, you're probably not hitting the threshold at which your delivery will be affected.

Some of my servers have been flagged at about 100 emails a day to multiple users at yahoo. Hotmail seems to be around the same too.

Yahoo even sends you a message saying they've blocked you and to check out their website for options.

Re:Use DomainKeys.. (1)

Daniel_Staal (609844) | more than 4 years ago | (#30482514)

The one I manage at work doesn't have DomainKeys, and it does send tens of thousands of messages an hour to those services. We get deferred by Yahoo regularly, but that's about it.

Re:Use DomainKeys.. (0)

Anonymous Coward | more than 4 years ago | (#30482670)

I'm curious how you know (if you're doing a lot of email volume). Ive done tests for companies who think everything is ok, but are actually dropping like 30% of their emails either in spam boxes or on the floor...

There are a few tools out there you can use to check...

Re:Use DomainKeys.. (1)

Curmudgeonlyoldbloke (850482) | more than 4 years ago | (#30482098)

MSN/Hotmail's postmaster guidelines don't seem to mention DomainKeys, but do mention SPF:

http://postmaster.hotmail.com/Guidelines.aspx [hotmail.com]

"4. Authenticate your outbound e-mail: Publish Sender Policy Framework (SPF) records"

Re:Use DomainKeys.. (1)

Antique Geekmeister (740220) | more than 4 years ago | (#30482412)

This is nonsense, at least for Gmail. I have no difficulty sending to their domain from unregistered hosts.

SPF is not an anti-spam tool: it's an anti-spoofing tool. It also helps prevent 'backscatter' from certain types of forged spam, the bouncing of forged emails from scattered SMTP servers around the world, because its classic form blocks the message before it is even fully transmitted when the bounce address is published. It still has issues with sites that do email forwarding, since most of them simply repeat the original sender's bounce address, and their forwarding host is not usually authorized to send mail from that bounce address.

And make no mistake. SPF isn't about the "From:" line, it's about the bounce address. This confuses many people who have to deal with it.

I use them, but mainly for deniability (2, Insightful)

e9th (652576) | more than 4 years ago | (#30481590)

My SPF records have gotten me un-blacklisted a few times, after I've pointed out that those machines in Brazil weren't authorized to send email from my domains. But I think DomainKeys, DKIM, etc. will make eventually make SPF unnecessary.

Re:I use them, but mainly for deniability (3, Interesting)

MightyMartian (840721) | more than 4 years ago | (#30481634)

And yet none of these solutions will actually do very much good at all. This was all hashed over several years ago. SPF, DomainKeys and so forth are little more than feel-good half-measures. If the sole reason you're using any of them is so that Google doesn't reject your email, then I think that's pretty much demonstrated the worthlessness of them.

Re:I use them, but mainly for deniability (1)

e9th (652576) | more than 4 years ago | (#30481938)

I've never had problems with gmail. It's smaller providers/businesses that don't use DK or SPF that have given me problems.

Re:I use them, but mainly for deniability (1)

WuphonsReach (684551) | more than 4 years ago | (#30482444)

DKIM solves a different problem, the two solutions (SPF vs DKIM) are not mutually exclusive.

nope... (5, Funny)

stokessd (89903) | more than 4 years ago | (#30481608)

It's winter so there isn't much sun or exposed flesh to worry about. My record for SPF is 50 when I'm bicycling in the noonday sun in the summer.

http://en.wikipedia.org/wiki/Sunscreen

Yes (2, Insightful)

S-100 (1295224) | more than 4 years ago | (#30481624)

Yes, I used SPF records on all the domains that I host that have email accounts. SPF records I believe have cut way down on backscatter. Before SPF, accounts would get dozens to hundreds of bounces when their email address was forged as the reply-to address in spam. Now the backscatter is almost completely gone.

But I can tell that Hotmail still ignores SPF since almost all the backscatter that still comes through is from Hotmail. They should know better.

Having valid SPF records also helps outgoing mail get through. I would frequently have to deal with large ISPs that would flag my mail or my domain as a spam source, based on their misinterpretation of forged headers. But since I have SPF records in place, this has not happened. I also check incoming SPF. If the SPF check fails, the mail is dumped. If SPF passes or there's no SPF, it goes through. Works great as one step in spam control.

Re:Yes (1)

sjwest (948274) | more than 4 years ago | (#30482058)

Logwatch is a useful tool for monitoring, it seems to work well for our domains, dkim/domainkeys and spf do help.

If people don't want to set them up for a mailserver to use then well thats your choice. If the context they are used in is too hard for them to grok then perhaps they should not be looking after email systems or any it.

There are idiots out there (hey magnatune) who don't sign all there mail servers and that is unfortunate in magnatune's case there office box has it, but buy an mp3/etc thing and it goes bang.

Nobody home when i emailed them about it the once.

I understand that messing about with smtp/lmtp,and av, and then perhaps a disclaimer, before signing a message for mailing might scare some 'administrators' - i would consider them unemployable.

Re:Yes (2, Informative)

SmoothriderSean (657482) | more than 4 years ago | (#30482616)

But I can tell that Hotmail still ignores SPF since almost all the backscatter that still comes through is from Hotmail. They should know better.

I believe you, but really? Hotmail was THE reason I've implemented SPF for a few domains connected to sites that send alert emails to users. Nothing - from email confirmations to status update type stuff - was getting through to Hotmail accounts until I set up SPF. Some kind of Left Hand / Right Hand mess going on over there?

Hosting Services don't make it easy... (1)

Jah-Wren Ryel (80510) | more than 4 years ago | (#30481644)

SPF has been around for at least a couple of years, but at least one very large hosting provider - hostgator.com - hasn't made it any easier to implement. They still require that you email them and request that they set it up for you.

http://forums.hostgator.com/custom-mx-and-spf-records-t58820.html [hostgator.com]

no (1)

Uzik2 (679490) | more than 4 years ago | (#30481646)

and spamhaus put me on the pbl as well. (I don't send spam)

Re:no (2, Informative)

GuruBuckaroo (833982) | more than 4 years ago | (#30482076)

Spamhaus didn't put you on the PBL, your ISP did. The PBL is made up of netblocks owned by ISPs who specifically don't want mail coming from those blocks. I use sbl-xbl instead of zen because the PBL has too many "false" positives.

Got it on Google's advice (3, Interesting)

cerberusss (660701) | more than 4 years ago | (#30481672)

Four years ago, I got hit by a Joe-job, i.e. some spammer used my domain in the 'From' field. I deleted the thousands of resulting messages in the following days and then didn't think about it anymore.

Two years ago, I shut down my mail server and moved it to Google Apps. Basically it involves creating a Google Apps account which tells you to point your domain its MX (mail exchange) records to GMail. The second, optional, step was to add SPF records. I thought about the Joe-job. Since the GMail wizard is good and explains everything, I just executed that step. It's actually really simple.

Anyone else have this experience? I.e. creating SPF records was too easy to just skip it?

Some spam filters score on SPF (2, Interesting)

kosmosik (654958) | more than 4 years ago | (#30481684)

Some spam filters score on SPF. So not having SPF increases chance of false positives for your legitimate mail when you don't have SPF. And since SPF is free and painless to implement (just few DNS records) I don't see any reason not to use it. Also not like it is something that much significant either.

Bless me server, for I have sinned (2, Funny)

ndogg (158021) | more than 4 years ago | (#30481692)

It's been, umm, a very long time since I've been to confession.

It's true, I don't use SPF. I've at least got the TXT line in my DNS hosts file.

But I'm using exim [exim.org] , which only has experimental support [exim.org] , and I'm too afraid to use something experimental like that.

What should I do, server?

Re:Bless me server, for I have sinned (1)

daveb1 (1678608) | more than 4 years ago | (#30482296)

Perhaps postfix ?

Re:Bless me server, for I have sinned (1)

element-o.p. (939033) | more than 4 years ago | (#30482370)

What should I do, server?

Move to Postfix ;)

On a completely off-topic, well...topic, I love the "#include" in your sig

Anti-spam vendor's perspective (4, Informative)

gujo-odori (473191) | more than 4 years ago | (#30481694)

I work for a major anti-spam vendor.

Yes, SPF records are part of the mix at many anti-spam vendors.

However, they aren't part of reputation. Reputation, to describe it simply and without giving away any secrets, is determined by the kind of mail a host or network emits. Whether it has SPF records and/or DKIM-signs its mail does not affect reputation; if you emit junk, your reputation will be junk.

SPF and (moreso) DKIM have value in assessing whether a given mail is a forgery or not (think phishing and related scams). They are not weighted overly much, since people do foolish things like put their work email address into their webmail account all the time, and it causes FPs, for some value of false positive. That is, it's not an FP per se, but the mail is technically legit, so dropping it on the floor isn't the desired action.

In short, don't expect having SPF and DKIM to improve your deliverability much, if at all. That's not where the value-add is. The value-add is helping to separate the sheep from the goats among mail that purports to be from your domain. If you want recipients to be able to (theoretically, since most of them don't/won't check) have greater confidence that a mail that claims to have come from your organization really did so, then yes, implement both SPF and DKIM.

If you're an organization whose customers might be phishing targets, definitely do both. Orgs I've seen targeted for phishing include financial institutions of any size (even a single branch!), various government agencies, educational institutions (not just universities, either), BBB, auto clubs, World of Warcraft accounts, Vonage, Craig's List, all the free webmail providers. If it has a login, and anything a phisher could find to be of value (for practically any value of "value"), there will be phishing attempts.

If your company is one of those - or even if it's not, really - I recommend both SPF and DKIM.

Re:Anti-spam vendor's perspective (2, Interesting)

Nashville Guy (585073) | more than 4 years ago | (#30482312)

I agree. The only point at which SPF or DKIM comes into play is the last few percentage points of filtering and even then other measures can suffice. For instance, I use a Barracuda Spam Firewall and out of the box it catches probably 80% with no false positives. Train the Bayesian filter and pick up easily another 10%. For my use, I can do some TLD blocking without worry such as CN, BR, and RU to name a few and I pick up additional percentage points. A few Regex for things like Viagra and Rolex net me a few more points. Doing a little header blocking for things like XMailer: The Bat and I am down to around 1% spam or less.

Doing things like NOT white-listing your own domain work just as well as SPF or DKIM if you implement quarantining. When you put email handling rules into play like Junk or Spam boxes and allow a per user quarantine with personalized Bayesian settings you can really knock the junk down to virtually nothing.

I think the thing here to take into account is that things like DKIM and SPF are not major solutions to spam. They can help reduce a point or two on percentages depending on your overall configuration, but they are nowhere near global solutions within your enterprise.

Better for Sent Items then Received (4, Informative)

Krondor (306666) | more than 4 years ago | (#30481698)

I use them, and what I've found is that they have a very marginal effect (if any) on spam catch rates on your inbound mail. However, they do have a great side benefit. They significantly reduce backscatter, keep yourself off of blacklists, and provide some control of you, your employer, or your client's identity on the web. SPF records provide a mechanism to limit who can spoof as you (as long as recipient servers adhere to them). If you have a risk to yourself or interested parties that someone might spoof your domain (banks!), then SPF provides a means to insure the chain of custody (to an extent).

I do think overall SPF has helped to prevent forged domain letters, but those are less and less common (for those that publish spf). The spammers now either rely on forged domains without DKIM or SPF (why not use both!!) or they send from their own controlled botnet domains and publish legit SPF for themselves as well.

dkim; convincing individual mail providers (2, Informative)

bcrowell (177657) | more than 4 years ago | (#30481724)

DKIM (formerly known as Domain Keys) is more sophisticated and worth looking into in addition to SPF. I'm using an implementation called DKIMproxy, which runs as a daemon and is specifically designed to work with postfix. I've been fairly happy with it. What's helpful about it is that if I get mail from someone who implements DKIM, I can be sure that it's really from them, and likewise if I get joe-jobbed, I can convince the recipient that the spam wasn't actually from me. The biggest and best known users of DKIM are gmail and yahoo, but I'm seeing it used elsewhere as well. For example, I recently got spam from lulu.com, and the good news was that it was DKIM-signed, so I could be sure it wasn't a joe job.

I understand what you mean about establishing a good reputation in terms of the email you send. Actually many of the big email providers have a policy of blacklisting all domains by default these days, and waiting for the domain operators to contact them and ask to be allowed to send mail to them. Both AOL and yahoo seem to do this. With yahoo, you can fill out a form to convince them you're not evil, and if the info on the form satisfies them, they stop blacklisting you. One of their criteria is that they're more likely to approve you if you implement DKIM. If you tell them you're using DKIM, then they won't accept mail from your domain that isn't DKIM-signed; this is to your advantage, because then their users won't be clicking on the spam button on mail that claims to be from you but isn't.

SPF is usless (1)

DarkOx (621550) | more than 4 years ago | (#30481730)

Its not helpful in reducing SPAM unless or until every uses it. Why because you can't toss out mail from domains without SPF records you'd loose to much HAM. You can only uses it to detect and reject spoofs from domains with SPF.

Its not good as an anti spoofing technique in general because there are lots of ways you could make it look like you were sending from the correct host. Possibly in conjunction with DNSSEC (something only being slowly adopted) and some enhancements to BGP you could get there buy SPF alone does not do it.

A public private key scheme on the message bodies would, be much much more secure, and reliable for the anti spoof use.

Sometimes you want to temporarily run your mail out a different IP or relay from another domain, and if you used SPF and your recipients have the dns record cached you are kinda screwed if you need to do anything in a hurry.

SPF is an infective solution at best and really amounts to needless complexity which can only cause problems at worst.

The SPAM and tamper issues are both better solved with message signing.

Re:SPF is usless (1)

WuphonsReach (684551) | more than 4 years ago | (#30482522)

Sometimes you want to temporarily run your mail out a different IP or relay from another domain, and if you used SPF and your recipients have the dns record cached you are kinda screwed if you need to do anything in a hurry.

You solve that issue by running your SPF DNS records with a TTL of about 2 hours (or maybe 4 hours). Even in the freak accident category, I'm hard pressed to come up with a situation where your primary mail server goes up in flames (or the outbound ISP goes up in flames) and you can't both (a) move to a new host/IP range and (b) setup new SPF records in under 4 hours.

And if you can't manage to publish SPF records correctly, then don't. Full stop.

The rest of us will publish them. And manage our email infrastructure in a way that takes SPF records into account. Which means we'll have to deal with less joe-job forgeries then you will over the long run.

Re:SPF is usless (0)

Antique Geekmeister (740220) | more than 4 years ago | (#30482544)

From http://craphound.com/spamsolutions.txt [craphound.com] :

Your post advocates a
        ( ) technical

approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

( ) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) Many email users cannot afford to lose business or alienate potential employers

Specifically, your plan fails to account for

( ) Lack of centrally controlling authority for email
( ) Huge existing software investment in SMTP
( ) Armies of worm riddled broadband-connected Windows boxes
( ) Extreme profitability of spam
( ) Dishonesty on the part of spammers themselves
( ) Outlook

and the following philosophical objections may also apply:

( ) Ideas similar to yours are easy to come up with, yet none have ever
been shown practical
( ) Feel-good measures do nothing to solve the problem

Furthermore, this is what I think about you:

( ) Sorry dude, but I don't think it would work.

Yes (1)

Kevinv (21462) | more than 4 years ago | (#30481746)

I use it on all my domains, and check it on all inbound mail. I especially make sure i define no servers are valid for several domains I have that are web pages only, or use for throwaway e-mail addresses (i receive e-mail at that domain, never send from that domain.)

I do support a domain hosted on google apps and setting it up for that ends up with a less firm ~all option that allows bogus senders to slip through.

I can see SPF fails in my logs so it looks like many other domains are using it as well.

Nope (5, Interesting)

menelaus (6949) | more than 4 years ago | (#30481784)

I don't use them personally and we have very few customers at my current job that will request them.

I used to work for an anti-spam company and the request would come in from time to time to have SPF checking built into our appliances. As developers, we did see the benefit of it. But at the time, there was the SPF vs SenderID vs Domain Keys battle going on. Who would win out?

As it appears years later, no one really did.

The problem with the technology is adoption rates. Unfortunately, many of these technologies are not being adopted by the masses. I'm not saying its hurting you by having these in place, but it also might not be doing as much good as you think that it is.

i use it. (1)

Ruede (824831) | more than 4 years ago | (#30481800)

i use spf and DKIM. works fine :) well it is a low traffic domain :)

the bigger issue will be ppl that forward all their shit to other mailboxes... it is always "great" to see lots of it being rejected due "spam"

disable forward - enable pop3 fetch.

Use SPF. (1, Interesting)

Anonymous Coward | more than 4 years ago | (#30481812)

If you aren't using SPF, you aren't doing your job. I've become merciless in my dealings with other sites who don't use SPF, or even worse publish incorrect SPF.

yes.... (0)

Anonymous Coward | more than 4 years ago | (#30481814)

I publish SPF records for my company and I check them, if SPF FAILS or SOFTFAILS it gets an SCL that will filter it into Junk. If SPF is OK or there is no SPF it continues through the process.

Yes (1)

marquinhocb (949713) | more than 4 years ago | (#30481850)

SPF is the way to go. Most public email out there (GMail, Hotmail, Yahoo) will mark email as spam if an email is sent from a server that isn't listed on the SPF record.
Obviously this isn't the only technique to fight spam (You validate that the sender really belongs to X.com, not that X.com isn't a spammer), but it helps.

As for the link to "SPF is harmful", that's about the biggest load of bull I've ever seen. It's inaccurate, and is an uncommon case (how often does mail forwarding happen these days with everyone using non-ISP-bound free email services?). It's like saying we should shutdown the internet because it's not completely accessible to devices with black&white screens.

As I said before, all the major free email service providers take SPF into account (test it out yourself - setup your domain with SPF, and send an email to your gmail/hotmail from an unauthorized IP).

That said, SPF is pretty easy to setup. Just a quick little txt in your domain and you're good to go. This site will help you with generating your SPF:
http://www.openspf.org/Tools [openspf.org]

I use it so I don't get blacklisted (1)

Coolcom (942441) | more than 4 years ago | (#30481862)

Before implementing an SPF record, my mail server IP was getting put on all sorts of blacklists. People were sending mail claiming to be from my domain and it was causing me to get on the BLs; all the major ones like CBL, Barracuda, Spamhaus, etc. Anytime anyone would try and send mail to me it would be rejected. I don't use SPF for checking incoming mail, I have the mail checked against a few RBLs and anti-spam software.

To prevent spam (0)

Anonymous Coward | more than 4 years ago | (#30481870)

This is actually a very interesting subject, and it comes with interesting examples.

Lets take Denmark, we have a few banks here (like any country)

some month ago none of the banks had spf records, i checked up on this because i got hired at a bank myself.

So, of course it happened, one of the banks was hit by a phishing attack, which is between fairly easy and laughable easy if you don't bother with SPF records.

The bank hit was this one:
danskebank.dk text = "v=spf1 a:n50422.danskebank.com a:n50423.danskebank.com a:n70422.danskebank.com a:n70423.danskebank.com -all"

Afterwards it was still the only bank with an spf record, can see now new ones have joined
nykredit.dk text = "v=spf1 +include:jndata.dk +include:bounce.peytz.dk ?all"

but not all of them
*** Can't find brfkredit.dk: No answer
*** Can't find eikbank.dk: No answer
*** Can't find jyskebank.dk: No answer
*** Can't find sparnord.dk: No answer

the list goes on.

anyways, the funny part is checking who is actually sending from their domains (sorry, account required to see the sender ips)
https://www.senderscore.org/lookup.php?lookup=danskebank.dk&ipLookup.x=0&ipLookup.y=0
https://www.senderscore.org/lookup.php?lookup=jyskebank.dk&ipLookup.x=0&ipLookup.y=0
https://www.senderscore.org/lookup.php?lookup=nykredit.dk&ipLookup.x=0&ipLookup.y=0
ect.

the interesting thing is that spammers seem to have a better reputation than the actual banks sending.

To sum it up
DON'T BE A FUCKING IDIOT, GET THOSE SPF RECORDS UP OR I CAN, WITHOUT ANYONE PROVING OTHERWISE, SEND LEGITIMATE MAILS FROM YOUR DOMAINS.
don't be a bank

They help, but only slightly! (2, Interesting)

DNX Blandy (666359) | more than 4 years ago | (#30481942)

I also use SPF records for all my domains, most are simply: "v=spf1 a mx -all". "-all" as in hard fail. I don't know why there is a soft fail "~all" option, if it's not from a known host / IP, it should fail. What's the point in returning an unknown response? Like as if there was no SPF record in the first place? It's amazing how many domains actually use soft fail. Anyone know why? They only help stop backscatter and other IPs from sending emails from @youdomain.com as long as the other mail server does a SPF lookup. We have become dependant on the email protocol and the way it works, pitty it's in such a mess :( Damn you SPAMBOTS!!!

Re:They help, but only slightly! (0)

Anonymous Coward | more than 4 years ago | (#30482376)

Can you really not fathom why the soft fail option exists, or simply why it would be useful to you personally? You may lack "theory of mind", which is typical of Asperger's Syndrome sufferers.

Re:They help, but only slightly! (1)

WuphonsReach (684551) | more than 4 years ago | (#30482706)

The point of the ~all was so that you could start testing the waters.

We ran with ~all for a few years, but have recently switched everything over to -all.

So far, I've seen only 1 or 2 false positives where the SPF check failed - even when sent from our own mail servers. I'm guessing that the destination mail server had DNS troubles when it tested our message.

We've also started 5xx (rejecting) at SMTP time if the inbound message fails its SPF check. SPF has been around for long enough at this point, that mail admins who have implemented it *should* have the bugs worked out. (The time for excuses are past, and if we don't reject at SMTP time, the origin mail admin won't know things are broken.)

Sometimes, sometimes not (1, Redundant)

93 Escort Wagon (326346) | more than 4 years ago | (#30481964)

In the summer I like to use SPF-15 or higher. In the winter it's pretty cloudy around here, so I don't bother.

Re:Sometimes, sometimes not (0)

Anonymous Coward | more than 4 years ago | (#30482142)

Just remember, clouds that are make the sky "overcast" don't really stop much UV

Yes (1)

cybersquid (24605) | more than 4 years ago | (#30482026)

I do use it on the handful of domains I admin.

Professional email services should be using this (0)

david.emery (127135) | more than 4 years ago | (#30482084)

My ISP (satisfied customer for 20 years!) uses a very effective anti-spam device (http://www.escom.com) that includes SPF checking. (No business connection, just a very satisfied customer. I get less than 1 spam/quarter that isn't trapped in quarantine or flat rejected...)

I'm appalled at the "professional" electronic contact service companies that fail to set up SPF records, e.g. Bronto.com that sends emails on behalf of the IEEE Computer Society. If this is your business, you have every obligation to make sure your services on behalf of -paying customers- are properly configured, even if some anti-spam devices do not use SPF as part of their spam detection approach.

Failure to include SPF records usually causes an email to get trapped in quarantine on my ISP. That's not "catastrophic" but it is most certainly annoying for something that can be very easily prevented, particularly by companies/organizations that actively invest in email.

Yes! Prevents forged Froms (2, Informative)

bziman (223162) | more than 4 years ago | (#30482116)

SPF is great. It's one of the technical means of making sure that the IP address that is trying to send you a message is authorized to use the sender that it claims to be from. That means you can automatically reject spam that claims to be from any of the big mailers.

One common problem right now, is misconfigured mail servers. An e-mail admin configures the SPF entry in DNS, and then forgets about it. Then they change their IP address, or they outsource their e-mail to a third party, and suddenly, SPF is saying that all of their legit mail is not legit. The other problem is when a company has (for example) an order fulfillment system that generates its own e-mails, instead of routing them through the proper mail server. If that system isn't identified in the SPF entry, those messages can be rejected.

Another "problem" is when organizations send messages on behalf of other individuals or organizations (like the legit message that avon.com tried to send me this morning that was being generated by filltek.com, but without the permission of avon.com's SPF entry). I put "problem" in quotes, because really, third party messaging services should not forge the From line of the message.

On the other hand, it's great, in that it blocks all those stupid e-cards, because they claim to be from your.friend@gmail.com, when really they're being sent by stupid-e-card.com.

The biggest problem is dealing with "forwarding" services, like your @acm.org e-mail address. On my server, I have to keep a list of domains that "bypass" SPF checks, because any message sent to a forwarded address is going to arrive at your mail server from the forwarded (i.e. mail.acm.org), but it's going to have the header information associated with the original message. OpenSPF.org talks about some ways to deal with this, but I haven't look at it in a while.

Since SPF is still not universally accepted, it has a "soft fail" option that you can use for testing, until you're sure that it works the way you want it to. It's not the be-all-and-end-all, but it is a useful piece of the puzzle.

Setting up DKIM (1)

muphin (842524) | more than 4 years ago | (#30482126)

I was recently appointed a IT Manager and was told to stop the spam, as management was getting atleast 300 spam a day, each.
Our current email provider would NOT implement DKIM, but I did have control to my domain records.
SPF is too easy to implement; see http://www.openspf.org/ [openspf.org]
DKIM on the other hand took a while, i tried DKIMproxy but couldn't get it to sign messages outside the local network so i moved to amavis, see; http://www.faqforge.com/linux/how-to-enable-dkim-email-signatures-in-amavisd-new-and-ispconfig-3/ [faqforge.com]
There is plenty of manuals and support on how to implement SPF and DKIM i do not see why (for the benefit of the provider) its not being implemented.
I have seen so many web hosts provide hosting and disable this feature its inexcusable.

SPF: proves an email should only be legitimised if the sender server matches the record; as many assume its not an anti-spam mesure but to ensure that the server you send from doesnt send spam through your domain.
DKIM: proves that the email sent WAS from your server by referencing the key generated in the email to the one on your public DNS record.

combining both ensures people receiving your email that you are the one sending it and that you sent it from your server.

By implementing SPF, DKIM and DNSBL (you should see the amount of spam that gets denied now) my boss' spam has reached to probably 5 a day with is a protection rate on 98.4% only issue i have is with china, since we communicate with manufacturers in china and they have a huge spam rate it can get complicated.

there are two methods, stop spam from sending to you (DNSBL) and stop spam from sending from you (SPF and DKIM) the latter ensures people will get your email, the former still blocks legitimate email from blocked IP's which is still a worry :(

Now to get sites to read the SPF records. (1)

Animats (122034) | more than 4 years ago | (#30482170)

I have strict "-all" SPF records on all my web sites. But I still get mail bounces from joe-jobs that the recipient host should have rejected during the SMTP session from the spammer.

Yes, but only "neutral" (1)

adaviel (1189751) | more than 4 years ago | (#30482242)

Last time I looked, forwarding was a show-stopper. Sender rewriting was complicated, and user's mail client configs would be broken if they used a local SMTP server at home or while travelling.

Reduces 100% "from self" spam and 50% other (1)

misnohmer (1636461) | more than 4 years ago | (#30482284)

I've been running a few emails domains of my own for years. Adding SPF checking on the receive end provided me with a few decent benefits:
1. Adding SPF record got rid of backscatter almost completely (a benefit mentioned by another poster already)
2. Adding SPF checking on the receive end got rid of "addressed to self" spam 100% - that was 2-15 emails a day for different mailboxes
3. Rejecting emails per SPF record actually manages to reject over 50% of what would have ended up in my junkmail folder anyways, makes it much easier to scan through junk
4. I setup my server to actually reject the emails with an informative message. This means that if a valid email gets rejected, the sending server (not my server) should send a delivery failure to the sender. Without this that email would have likely ended up in an overcrowded junkmail folder anyways, which means I may have just deleted it - better that the sender knows
5. The SPF result on the receive end is also factored-in by the Intelligent Message Filtering of the Exchange, which assigns a spam likelyhood for spam. I setup a threshold for the spam likelyhood which also rejects the email during the receive, leaving the burden of sending non delivery message to the sender server (so valid servers do it, spam bots don't).
6. Tarpitting also helped a bit for spam rejection, though unrelated to the SPF record.

PS> This is about usefulness of SPF, not about my choice of servers, but if you really want to know I use both Exchange and Postfix to route my mails to appropriate mailboxes. Both have features the other doesn't (e.g. Postfix wildcarding, unlimitted mailboxes, etc | Exchange Blackberry Enterprise Server integration, calendar, contacts, SPF integrated with IMF, OWA, etc).

It's caused us some problems. (1)

Fross (83754) | more than 4 years ago | (#30482316)

I work for an organisation that has a private email system (private as in hardware, network lines). SPF works fine on that, though is also redundant. However, the network is accessible to other networks (ie the internet, as in, people can send mail to regular mail addresses, and vice versa), and SPF breaks here.

Due to the jump to the network, the "sender" is always the provider who handles said connectivity, where our area of the private network touches the internet. Thus we've had to completely disable SPF as it always comes back with negative results.

A good idea in principle, but fails when the two mail servers cannot immediately talk to one another. You'd need something like a validation chain to allow that scenario to work.

Yes & Yes (2, Interesting)

Iphtashu Fitz (263795) | more than 4 years ago | (#30482336)

Yes, I use SPF to identify the MX's of three domains I own, and Yes I use SPF as one of the things SpamAssassin uses for identifying spam. Granted these domains are tiny in the grand scheme of things (one is for family, one for some shareware I wrote, and one for a non-profit my brother is involved in), but it definitely helps. I wrote a script that sends me monthly stats of spam, and here are the results for the last month:

sa score : 1 messages :299
sa score : 2 messages :194
sa score : 3 messages :235
sa score : 4 messages :299
sa score : 5 messages :477
sa score : 6 messages :597
sa score > 10 messages : 31678
highest sa score = 57

total probable spam (sa score of 5 or more) : 32752
total spam blocked outright by sa : 37110

e-mail blocked via SPF : 3007
Unique IP's that passed SPF check : 1389

We only block spam if the SpamAssassin score is above 10, but we tag anything above 5 as spam so the end users can decide what to do with it. As far as SPF goes, in the last month over 3000 bogus e-mails were dropped due to SPF failures, and 1389 other e-mails that were accepted were approved in part because the domains had SPF records that passed the check.

I've been using SPF for several years... (1)

dpilot (134227) | more than 4 years ago | (#30482340)

...in conjunction with my DynDNS vanity domain. When I first set it up, there was a rush of backscatter, then it tapered off and went away, never to return.

More recently I've started having problems of a different sort. I've been on a certain mailing list for over a year, though not posting very often. Last week I posted to a thread, and got an SPF violation notice from what looks like AOL in Australia, on behalf of someone with 2 apparent domains, neither of which is AOL. The violation notices seem to think that MY mail is originating from an AOL server, so the AOL server is generating an SPF fail. These notices are being generated for only one list subscriber, for every time I post to the list. It looks like a misconfigured AOL server (Would you expect anything else?) to me. Still, that's one aspect of SPF and presumably DKIM - other peoples' misconfigured machines.

I set up SPF and regret doing so (1)

mi (197448) | more than 4 years ago | (#30482344)

I set it up and regret it. First, it broke things for one of my correspondents (at least this one — who bothered to tell me about it), who forwards all e-mails to his cell-phone. Because the messages are forwarded by his e-mail provider, but appear as if from me, his cell-phone service rejects them — because his e-mail provider is not listed in my SPF-record. So, he finds my messages in his mailbox, but is not alerted about them (as he is used to) by his phone...

Then, it turned out, my SPF-record is set slightly incorrectly, which — bizarrely enough — causes outright rejection by many servers. In this respect, people with buggy SPF-records are treated worse, than people without it... This is partially my fault, so this second item is just here for general interest.

And lastly, I am still a victim of "Joe jobs" every once in a while, as spammers send spam with the "From" set to my domain — my having an SPF record is not much of a deterrent, evidently.

Overall, the broken forwarding is, probably, responsible for slow adoption, which, in turn, makes it ineffective for the adopters...

Care about your domain's reputation? Do it anyway. (1)

harr2969 (105745) | more than 4 years ago | (#30482358)

If you're in business, or if you care about your domain's reputation, you should be implementing SPF to prevent others from sending mail (aka joe-jobbing) as your domain.

Even if you DON'T care about your reputation, your life will be easier if you don't have to deal with the back-scatter (complaints, threats, invalid postmaster replies, out of office messages, etc) from a massive joe-job/spamming effort which is spoofing your domain.

You CAN make a substantial dent in these types of attacks with SPF. There are levels of SPF "certainty". In order to be most effective, you need to list all your sending servers with a dash "-all" for example, a major financial uses:

text ="v=spf1 ip4:207.162.228.0/24 [shortened] -all"

On the receiving side, most SPF implementations will (and should) respect the certainty of the senders SPF record. In the above example the financial implemented the "-all" qualifier, so if mail comes in from a place not on that list, based on their assertion I can safely drop it as spam. If they used a "?all" or other, I might only increment the spam probability or tag it [maybe spam].

When implementing your DNS SPF record, it can take time to make sure you've identified all the legit sender's of mail with your domain name if you're a large company. Keep at it and come back here and let me know, I'll give you a pat on the virtual back for doing THE RIGHT THING.

http://www.openspf.org/ [openspf.org]

I have it with -all (1)

Nuitari The Wiz (1123889) | more than 4 years ago | (#30482372)

A few people are inconvenienced because they have to connect to a different port then the default due to ISP firewalling.

I would really really like it if more ISPs were checking them and silently discard anything that is flagged as spam _AND_ fails SPF instead of bouncing it back.

We get thousands of bounces addressed to non-existant users, which in turn makes into a double bounce. Of course now I've set our system to silently delete them instead. Else it's just a colossal waste of resources.

Wow, what a bunch of clueless responses (1)

BlortHorc (305555) | more than 4 years ago | (#30482432)

A very restricted SPF TXT record that specifies _precisely_ which IP addresses an incoming SMTP for a given domain an email _must_ come from cannot hurt. At best, your IT admins have wasted a half hour, at best they have significantly improved the chance of your outgoing email being not treated as suspicious by bulk email handlers such as yahoo, gmail and hotmail (especially hotmail).

You want proof? Check your shit. http://postmaster.live.com/Services.aspx [live.com] . And no, I don't work for MS, but damn they provide the best postmaster tools on the interweb for monitoring shit like email deliverability. Don't even talk to me about the pestilence that is Yahoo!, those pricks remind me of my evil DM who used to make up pointless forms just to pass the time.

Need them to send to some domains (0)

Anonymous Coward | more than 4 years ago | (#30482446)

I use them because you can't send to some domains without an SFP record. Mainly Asian email providers, but our business has alost of agents in Asia so the mail has to flow.

Why/What I use SPF for ... (1)

BitZtream (692029) | more than 4 years ago | (#30482450)

SPF serves multiple purposes for me.

Why I add SPF records to our DNS servers:

First and formost, it tells everyone who my mail senders are and that they should only accept mail from my users from those servers. Thats really all it does, but that results in the following things for me:
My remote users always configure their outbound mail server as our gateway, rather than their own ISP or something like that, which means that all that mail piping through me means I can do all sorts of sanity checking on the server for my users. It doesn't force them to use our mail server, but if they do, they'll end up sending to someone at Google or Yahoo who'll reject the message, at which point my user will generally have the problem fixed.

More important however is that it cuts down tremendously on backscatter spam I get.

Why I look for it when receiving mail:

Helps stop our auto-response mail addresses from producing a bunch of backscatter when they get spammed.

Stops scammers who use email addresses from large well known businesses in an attempt to make their messages look more legitimate. Pretty much every major company worth its weight in air publishes SPF records.

Problems:
It seems that services which host frontend stores for things like hotel rooms and travel seem to not understand that the server sending all their confirmation emails should probably be included in the SPF list.

Thats the only thing I've run into, on hotels and ticket purchasing web sites that are managed by 3rd parties, and send messages as if they were actual company. Universal Studios has had this problem with their ticket ordering system for at least the last 3 Halloween Horror nights :( Seen it with a couple hotel sites as well.

I would use domain keys and SPF but... (1)

daveb1 (1678608) | more than 4 years ago | (#30482462)

I would use domain keys and SPF but... i use google apps. So i could use SPF records... but personally i prefer domain keys and don't want to use one without the other. Having pointed out to my computer faculty that they had an SPF which allowed only one host(/32) (it wasn't the mail server! ) and the admin thought that softfail was soft pass .... i personally recommend against using SPF unless you do it correctly.

We publish and use SPF records (1)

dskoll (99328) | more than 4 years ago | (#30482578)

We both publish and use SPF records. We publish them in an attempt to limit backscatter from joe-jobs, but that's not very successful. Nevertheless, I like the idea of being able to declare which machines are legitimately allowed to send mail for my domain.

We also use SPF records, but in a careful way. We add lots of points for SPF "fail" results from certain domains like paypal.com, ebay.com, etc. We add a moderate number of points for SPF "fails" from domains not in that list. We subtract points for SPF "pass" results from certain trusted domains.

We certainly do not subtract points for SPF "pass" from some random domain; we have no reason to trust it. In fact, for a while, an SPF "pass" result was a mild indicator of spam, as spammers registered throwaway domains and published SPF records.

Graph showing adoption (1)

kingradar (643534) | more than 4 years ago | (#30482646)

I am one of the admins for the free email service Lavabit. We have a graph on the net showing adoption, built from about 150k messages a day. (We don't include messages for users who have disabled this inbound check, or for messages which are blocked for some reason other than SPF.)

http://lauren.lavabit.com/export/graph_162.html [lavabit.com]

Yes and it helps (1)

vvaduva (859950) | more than 4 years ago | (#30482658)

I use them for all the domains I manage (maybe about 200+ domains) and forged spam has disappeared since. It doesn't take that much time to set it up, so why not do it?

We use postini, and postini doesn't use it. (1)

zerofoo (262795) | more than 4 years ago | (#30482732)

We use Postini, and postini handles the delivery of our mail. We have yet to have any organization block our mail while it is delivered by postini. It seems that most mail admins implicitly trust that postini's servers aren't spewing spam.

As far as postini's position on using SPF to identify spam:

Postini has investigated SPF and has decided not to implement it as a
feature for inbound mail processing. Implementing SPF would add
significant processing overhead without adding any appreciable
effectiveness to the spam filtering. Almost all mail that would be
blocked by SPF are also identified as spam by our spam filters.

In addition, Postini tracks the IP addresses of Fortune 500
corporations and the most popular internet sites such as Yahoo,
Hotmail, eBay, etc. Adding these domains to the Approved Senders list,
particularly at the organization level, is not usually needed and can
result in spam appearing to be sent from those domains inadvertently
getting to users' mailboxes. For this reason, Postini recommends
against using the Approved Senders list in this way; rather, it should
be used only for mail from senders that has previously been falsely
quarantined as spam.

The other reason I have not published and SPF record: Verizon is hosting our DNS services, and when I asked their business services about adding SPF records to my domain the guy on the other end of the telephone had NO idea what I was talking about.

After 3 or 4 call transfers I just gave up.

-ted

Only once ... (1)

Tux2000 (523259) | more than 4 years ago | (#30482756)

... in my last job, we had a lot of clients using Microsofts mail services. M$ gave you basically two choices: Implement SPF or have your mails delivered to the spam folder or refused. So, we made our DNS provider add SPF records and the problem was gone.

Tux2000

Kinda (1)

MBGMorden (803437) | more than 4 years ago | (#30482762)

I'm "kinda" using it, in that yes, I setup an SPF record for my domain at work, but I'm not actively checking the SPF records of any incoming mail. I kinda question whether it's of any use at all. I set up our record because it seemed the wise thing to do, but honestly given how many domains don't have SPF records setup I'm not sure ANYONE is actively checking them for incoming mail. Without more usage the system is kinda useless.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?