[Wylug-discuss] SPF records

James Holden wylug at jamesholden.net
Tue Sep 20 10:21:48 BST 2005


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Nigel Metheringham wrote:

[snip]

> Its also been interesting watching large providers back away from SPF -
> a number of major providers no longer publish SPF records, and others
> have changed their records to make them effectively advisory - ie useful
> only for scoring.  In fact SPF is best considered as an additional input
> to a scoring system like that operated by SpamAssassin and is not safe
> to reject mail on alone.

Agreed. There are no mail filtering processes that are reliable enough
to make an absolute decision on whether to accept or reject the mail
with certainty. Spamassassing or similar is essential to aggregate the
different aspects.

>>We have a number of laptop users who can connect back to our LAN/WAN using VPN. 
>>For us, there is nothing that stops these users from sending emails from their 
>>work email address while *disconnected* from the VPN (e.g. while connected to 
>>their home ISP), and if I were to implement a strict SPF record then such emails 
>>would legitimately be considered to be from a non-authentic source - and 
>>therefore perhaps fraudulent.
> 
> 
> Allowing company email to bypass company systems is a dangerous
> precedent.

Spot on, for both political and technical reasons. It's technically
difficult to enforce this though, but at least if you put in place
policies that acknowledge that this may happen, you can mitigate the
effects to some extent.

>>I was wondering whether anyone else had successfully addressed this problem with 
>>either policy or technology, and if so, how.
> 
> 
> The answer to this is to enforce company email passing through your mail
> servers.  You should do this by having a SMTP server available to those
> outside the network accepting email on the MSA port (port 587 - Mail
> Submission), which should be SMTP/TLS with enforced authentication. The
> use of the standard MSA port should allow connections from SMTP blocking
> networks.  Personally I have my laptop always connect to the external
> facing SMTP server since that means things work for me both inside and
> outside the network.

In terms of policy, it's difficult to enforce. Anyone can spoof anyone's
mail, it's inherently open to abuse.

Definately have a mail relay available to those outside the company
network with appropriate authentication and encryption (I've noticed
that SMPT/SSL seems to be more supported in the MS world, my Windows
smartphone supports SMPT and IMAP over SSL).

Getting a little more creative, you might also consider having your
'real' outbound mail server add some sort of signature to the email. By
this I mean a digital signature on the message content. This need not
necessarily be a S/MIME or PGP signature in the conventional sense, but
some method of validating that the data was sent via a company
authorised system.

Adding this signature would lend weight to any company policy by
allowing the assertion that the company will not stand by the
authenticity of any message not bearing the signature. You could use an
analogy of sending company letters without the proper letterheaded
paper. I haven't given much thought to exactly how to implement this
because I'm not really a crypto guru.



James


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFDL9OxmHdHQoNYhjoRApaaAKCFM1YB28zQBdsNmaeiTbAcVnYElgCgpU7L
TdbzUaSwxLDPidVX3Domy64=
=Q57m
-----END PGP SIGNATURE-----




More information about the Wylug-discuss mailing list