[Nottingham] email spam-proofing - Sender Policy Framework

[ForkBombFluf]

On Sat, 7 Jun 2008, Martin wrote:
> 
> In the ever turgid fight against spam and advertising...
>
> Anyone using SPF for confirming the authenticity of email senders?
>
> Sender Policy Framework
> http://www.openspf.org/


Hi Martin,

Funny you mention this, I was helping a friend deal with the fallout of 
SPF just last weekend.  Some recipient domains check for an SPF policy in 
the DNS records of the sender's domain, and if there isn't one (or in this 
case, the IP he was sending from didn't match the policy), then the 
receiving domain rejects the e-mail as spam (and in his case, it wasn't! 
Yet the person who should have received his e-mail was adamant this was 
his problem and he must be ignorant of some well-known internet standard!)

This is an even bigger pain in the rump if you have a domain name, but 
don't have the ability (technical or physical) to manage your own DNS 
records.

SPF seems like a good idea, attempting to make sure that the sender's 
e-mail address matches the domain it is actually being sent from, but the 
uptake of it is spotty and it is far from a conventional standard, yet 
most non-techhie people don't seem to be aware of how tenous most methods 
of spam filtering actually are.  As always, it's much easier to assingn 
blame than come to grips with the brunt of the problem.

There is a nice Python based tool for testing the behavior of an SPF 
record using various sending IP address/e-mail address combintations at:

http://www.kitterman.com/spf/validate.html

which is what I used to test the new record I created for him.

Cheerz,

-Stef