Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft to Deploy SPF for Hotmail Users

Posted by michael on from the ever-so-slightly-less-spam dept.

wayne writes "In a show of just how much Microsoft wants to put an end to email forgery, Hotmail, MSN and Microsoft.com will start enforcing Sender ID checks by Oct 1. In late May, MicroSoft announced that they would be adopting the Open Source SPF anti-forgery system (with a slight modification to make it Sender ID) and they have been working together with the IETF MARID working group to help create an RFC to define the Sender ID standard. Already tens of thousands of domain owners, such as AOL, Earthlink, and Gmail, have published SPF records, and thousands of systems are already checking SPF records. Publishing SPF records is easy, as is checking SPF records."

4 of 562 comments (clear)

  1. Re:PGP/GPG? by FooAtWFU · · Score: 5, Informative

    PGP/GPG are nice, but they have nothing to do with the anti-spamming technology present in SPF. All SPF is, is special data set in your DNS telling you which hosts are allowed to send mail on behalf of your server. That way when your 0wn3d computer sends mail from "hotgirl@hotmail.com", people can tell it's a fake.

    --
    The World Wide Web is dying. Soon, we shall have only the Internet.
  2. Re:Making sure I see my role in this... by YetAnotherDave · · Score: 5, Informative

    SPF allows you to state a list of servers which are qualified to send.

    So you could add your server + your ISP's servers, so your fallback would still be within your SPF record

  3. Re:What is the difference between SenderID and SPF by wayne · · Score: 5, Informative
    Okay, all I know is that SPF is a good deal simpler than SenderID and much more popular, due to the simple text format verses the use of XML.

    XML was dropped from the Sender ID spec by the IETF last month.

    The primary difference between SPF and Sender ID is that Sender ID also has the ablility to check the RFC2822 From: email header in addition to the RFC2821 envelope from value. This is something that most of the people in the SPF community wanted to do all along, but it would require changes in end-user mail systems, such as outlook, to do right. Without the support from MicroSoft, this couldn't really be done.

    --
    SPF support for most open source mail servers can be found at libspf2.
  4. Missing the point by eadz · · Score: 5, Informative

    A great opt in solution... .. If you don't have SPF records in your DNS, it doesn't mean Hotmail won't accept your mail.

    If you DO have SPF record for your domain, and the message wasn't sent from one of the specified IP addresses, then Hotmail may block your message.

    But the real kicker is when you recieve a message from someone@hotmail.com. If the IP address used to send the message isn't listed in hotmail's SPF TXT DNS record then you know it's not a message sent from hotmail. And same for Gmail :

    dig -t txt gmail.com
    gmail.com. 300 IN TXT "v=spf1 a:mproxy.gmail.com a:rproxy.gmail.com -all"

    Which means that the only servers authorized to send mail from @gmail.com are mproxy and rproxy.gmail.com