[Nottingham] email spam-proofing - Sender Policy Framework
Graeme Fowler
graeme at graemef.net
Sat Jun 7 21:58:16 BST 2008
Martin wrote:
> Anyone using SPF for confirming the authenticity of email senders?
Many do, but it's almost completely useless. All SPF does is to say "the
sending host has permission to send on behalf of the domain the mail
appears to be from". The widest early adopters? Spammers, using the
record which says "this domain can send from anywhere" which validates
as an SPF "Pass".
I have an SPF record as follows:
"v=spf1 ip4:82.113.142.73 ip4:82.113.142.74 a mx include:lboro.ac.uk
include:lut.ac.uk ~all"
Which says, translated:
IP addresses 82.113.142.73 & 82.113.142.74, the A records for the
domain, the MX records for the domain, and hosts within a defined SPF
record for lboro.ac.uk and lut.ac.uk (my workplace) are permitted to
send mail on behalf of or from graemef.net.
The "~all" on the end means other hosts would "Softfail". This means:
"Receiving software SHOULD NOT reject the message based solely on this
result, but MAY subject the message to closer scrutiny than normal"
(from RFC4408).
Essentially, ~all is a cop-out. I *might* find myself in a position
where I send from a host not listed in my SPF record and I don't want
that mail rejecting. I should change that to "-all" soon.
As it happens, much email which I *could* reject via SPF is rejected by
my inbound MX for myriad other reasons before it even gets to the point
of an SPF lookup.
All SPF allows you to do is to verify that the sending host is allowed
to send MAIL FROM the domain it wants to. It in no way guarantees that
the following message isn't spam. To use it as an anti-spam tool in
isolation is, sadly, just plain wrong.
Graeme
More information about the Nottingham
mailing list