Does SPF Really Help Curtail Forged Email Headers?

Intelopment asks: "My Domain name has recently been used a lot in the 'Reply' field by some inconsiderate spammer, and my ISP has suggested that I consider using the Open SPF service as a way to stop spammers from using my domain name for in their mail headers field. From what I can tell, it requires the receiving mail server to actually participate in the SPF service, which is where I have my doubts. Does anyone have any experience with this service? Does it work? Are many ISPs using Open SFP?"

Some do

[Asgard]

I know of at least one ISP that checks SPF records. SPF costs very little to implement in most cases and does not break email for someone who is not using it. Based on that there is really no reason *not* to implement it. It won't completely solve the problem, but it does enable someone who is SPF-aware to filter those emails.

Re:Some do

[Mr.+Slippery]

SPF costs very little to implement in most cases and does not break email for someone who is not using it.

SPF breaks forwarding. It is a badly brain-damaged scheme.

A few years back it was alleged that more spam than valid e-mail was being sent using SPF.

SPF is bad, mkay? It should have been taken out behind the barn and put out of our misery a long time ago. Don't use it, and don't encourage it.

DomainKeys is a much smarter scheme. Use and encourage it instead.

Re:Some do

[Bert64]

SPF breaks "vanity forwarding" as described in that site, but surely if *you* set up a forwarding service you can whitelist or special case that service, since the forwarding service will only be sending mail to you. If you configure it as a forwarding service on your mailserver, and you trust that service, then your mailserver can compare the spf records against the headers added by the forwarding service instead of the actual address the connection came from.

Now i run an ISP with a large number of customer domains, so it's in my interest to minimise the number of forgeries.

SPF may have its flaws, but its easy to implement for your domain and significantly cuts down on the forged mail purporting to come from your domain.

Domainkeys on the other hand, requires you to append a signature to every outbound mail in order to be effective. This would require me to modify my outbound mailserver, in itself not a serious problem. I would also need a patch that supports multiple private keys, since my outbound servers support multiple domains.
Then we have users who sometimes use other servers for sending mail, for instance i have several hosting customers who use their own isp's local server to send mail because their isp blocks outbound port 25 connections (to prevent spam drones). The only way i could get round this, is to run an smtp server on a nonstandard port for them to use, but try explaining that to end users.
Then you have things like blackberry users, who use their telco's blackberry service to send mail from their domain. I doubt it will be easy to get their telco to add domainkeys support and their own private key to their outbound mail servers.

It does help, but...

[Meostro]

... but only if you use it.

Add SPF to your domain, and whatever subset of ISPs / mailservers that use it probably won't bug you. The only downside of using SPF is that you may have to change your DNS records if you want to use a new mailserver, but most people that I know only use one or two servers for outgoing mail for any one domain.

One DNS line to potentially stop a joejob against you - it's a no-brainer, even if you "have [your] dobuts". Go to the SPF Setup Wizard, fill in your servers and copy the IN TXT line.

See if it works, and proceed from there. If it doesn't, go back to the ISP and complain.

Re:It does help, but...

[djmurdoch]

The main problem for me is that my outgoing mail currently goes through a server operated by my cable provider.

Why is this a problem? Does your cable provider not provide an SPF record? If they do, one of the variations on the SPF record ("include:") for your domain is basically a pointer to theirs.

Re:It does help, but...

[Meostro]

The main problem for me is that my outgoing mail currently goes through a server operated by my cable provider. I wonder, though, if I can get around this by setting From: to be from a different domain I have and Reply-To: to the the domain with the SPF records

You shouldn't have to do anything that fancy.

Go to the SPF wizard page, tell it what your mailservers are (even if they aren't your domain MX records) and it will tell you what to use. If your outgoing mail is set up as someguy@mycableprovider.com then you'll have to worry about them getting the records right, but if you're sending form someguy@mydomain.com you just have to worry about telling SPF which servers you send mail through.

Some ISPs do, some don't.. but what's it cost you?

[mkettler]

Several ISPs use SPF, for example, AOL does.
http://www.postmaster.aol.com/spf/

Several ISPs don't.. For example, yahoo is busy pushing the competing standard of domainkeys.

Many open source spam scanners use it, ie: SpamAssassin.

However, even if not everyone supports SPF, at least some folks do, and that means if and when your domain does get forged by a spammer, there will be fewer folks receiving it, fewer mailservers accepting it and fewer bounces/complaints heading your way.

And of course, SPF is more-or-less cost free.. All you have to do is add a TXT record to your DNS, which probably won't cost you anything unless your DNS is hosted on some oddly billed 3rd party service.

I'd say the ROI on it is pretty good.

Many folks will immediately bash SPF as a poor spam control technology. Well, they're right, but that's not the point, and it's not what SPF is for, and it's not what your trying to get out of SPF.

SPF isn't a "cure-all" for spam that some folks think it is and others bash it for not being, but SPF IS a reasonable start at controlling forgery, and it's quite effective at it.

Yes, it does work.

[parrini]

Yes, it does work. I started using SPF and almost immediately stopped receiving spam backscatter. Besides that, I activated SPF check in my SMTP server and since then, we drop a lot of forged mail headers too. Its ridiculous easy to implement, consumes nothing more than a DNS record and can be fine tuned. Besides that, every single big mailer is already using it.

Please do - it costs nothing to publish, and ....

[GuruBuckaroo]

... little to filter incoming mail. To protect your outgoing mail, all you have to do is publish a special DNS record - that's it, done, no need to change it as long as your MX servers don't change. It's That Simple.

On the incoming side, a lot of ISPs are using it - and a great number of corporations are using it, even if they don't realize it. Spam Filter boxes like those from Barracuda (Can't recommend these guys enough), or software like SpamAssassin, can easily check SPF records. I think Barracuda's do by default, but I could be wrong - it's been a few years since we installed our Barracuda.

Granted, it's only one part of a good anti-spam system. I use SPF, DomainKeys/DKIM, SpamAssassin, and a nifty little feature of Sendmail called "greet_pause" (check it out if you use Sendmail for inbound email). It's cut down on my junk mail by an ungodly amount.

it helps

[ArbitraryConstant]

Supporting SPF doesn't put an end to spam, but it's one of those best-practices things that can really make your life simpler down the road.

For outgoing mail service:

-It becomes immediately apparent when "surprise" mail servers pop up. This can be a web server that's sending outgoing mail directly, or someone sending mail through their ISP's mail servers when they should be connecting and authenticating to your servers, etc. Tracking down mail problems in these situations can be very frustrating.

-It helps prevent forged messages claiming to be from your domain. Not all recipients support this, but even after the fact it's helpful to be able to have an answer for what can be done about it that doesn't get any blame on you.

For incoming service:

-Even a moderately strict SPF policy can help prevent bounce-spam from being sent via your servers.

-It helps protect your users from scams.

It's not a perfect solution, but it puts your network in a better defined state. And that helps keep things running smoothly.

strong authentication an important building block

[Thede]

SPF is easy for sending domains to implement, which is one of the reasons it's becoming popular. During the last six months we've seen a major increase in the number of domains that use SPF (including many of the big ones) as well as an increase in the percentage of messages we receive from an SPF-protected domain.

As far as its effectiveness goes, in one analysis where we sampled a set of messages in which the purported sender's domain was that of a major ISP, we found that if the SPF authentication check returned 'softfail', the probability of the message being junk was near 100%. When we checked our MTAs "Received" headers, they indicated that the messages were being sent from IP addresses in different countries and domains (as one would expect). Of those messages that passed, only about 30% of the messages were junk. Clearly there is 'signal' in the SPF score.

Interestingly, of those messages that passed and yet were junk (those that composed the 30%), all appeared to be sent by a legitimately registered user at the ISP. This is the double-edged sword of authenticating your messages if you are an ISP: if your own user base is sending junk, other ISPs and recipients will be able to figure it out. And you might be perceived poorly.

Yet this is exactly what should happen; it's the point of authentication. There should be motivation for ISPs, either financial or brand-related (which ends up being financial), to establish and operate procedures that screen members or deter them from sending unwanted messages. Reputation (or concern of damage to it) is a great motivation.

The real promise in sender-authentication though is DKIM. While SPF is easier to implement for senders than DKIM, SPF is rather fragile; it doesn't survive forwarding without re-writing the envelope-from. Too few systems are set up to do this (list management software is the exception), and although changing the behavior of MTAs is just software, doing so will effect the efficiency of status (bounced mail) reporting. Messages that would be delivered 'point to point' in the past end up being 'source routed' with many unnecessary hops, increasing the odds of failure. DKIM is a little more involved to set up, but doesn't have these fragility issues (setting up checks when receiving is about the same level of difficulty for SPF and DKIM).

At Boxbe, we check both DKIM and SPF. The reason is that strong sender identity gives a pre-approval policy its teeth. We quarantine messages which fail EITHER form of authentication, but because DKIM is "forward-friendly" and SPF is not, if a message passes a DKIM check but fails an SPF check, we let the message pass (according to our member's preferences). Using both has merit as each type is a little different. Gmail has been signing/authenticating with both DKIM and SPF for quite some time. We also use both forms of authentication when we send out messages or forward messages to our members.

As other organizations adopt sender authentication (Comcast has announced it is implementing DKIM by year end) it will become a very effective tool.

--
Thede Loder
E: thede@boxbe.com