Are You Using SPF Records?

gravyface writes "I've been setting up proper Sender Policy Framework records for all my clients for past year or so, hoping to either maintain or improve their 'reputation' in the email universe. However, there's a lot of IT admins I speak with who either haven't heard of SPF records or haven't bothered setting them up. How many of you are using SPF records for your mail domains? Does it help? How many anti-spam vendors out there use SPF records as part of their 'scorecard'?"

yes

[zeldor]

it has cut down tremendously on the spam claiming to be from my domains.
any other benefit I am unaware of.

Re:yes

[jonadab]

> If you're using a lack of SPF records as a determinant
> in whether or not a message is spam, then I can guarantee
> you that you're losing mail to false positives.

Yeah, that's not how you're supposed to do it. No SPF record means "I don't know whether this is a valid sender for this domain or not", so you fall back to whatever other method you have for making the determination.

Traditionally, the "other method" generally meant accepting everything and letting the users sort it out in the inbox, but there are other things you can do, such as looking at stuff like whether the EHLO domain matches the sending IP, whether the envelope sender matches either of them, whether the From field matches any of the above, whether any of our users have sent mail to this domain in the last N days, and so on and so forth, each of which criteria can be assigned a weight, which can be used to determine whether to accept the message immediately, graylist it (and for how long), subject it to more rigorous (but computationally intensive) regex-based filtering, check for it on collaboratively-maintained blacklists, etc.

And if the domain *has* SPF records and the sending IP isn't in them, you have your choice of greylisting with a lengthy delay, going straight to teargrube mode, or just sending a 554 response immediately. And you can take note of the IP address for future reference.

> I use greylisting as my chief anti-spam weapon, and it's
> far more reliable and far more effective than SPF.

Greylisting has problems too. Not least, it causes delays, which can run into multiple minutes. (In some situations, even a thirty-second delay will make the natives restless.) Additionally, if too many mail exchangers do greylisting, the spammers will just implement retries (it's not like it's hard; normal mail servers have been doing it forever). All of this doesn't mean greylisting isn't useful, but it's one tool in the toolbox, not the be-all and end-all. There are a lot of things a mail server can do to try to determine whether a message is spam. None of them individually is very reliable, but you don't have to do just one thing.

Re:I use them, but mainly for deniability

[MightyMartian]

And yet none of these solutions will actually do very much good at all. This was all hashed over several years ago. SPF, DomainKeys and so forth are little more than feel-good half-measures. If the sole reason you're using any of them is so that Google doesn't reject your email, then I think that's pretty much demonstrated the worthlessness of them.

Got it on Google's advice

[cerberusss]

Four years ago, I got hit by a Joe-job, i.e. some spammer used my domain in the 'From' field. I deleted the thousands of resulting messages in the following days and then didn't think about it anymore.

Two years ago, I shut down my mail server and moved it to Google Apps. Basically it involves creating a Google Apps account which tells you to point your domain its MX (mail exchange) records to GMail. The second, optional, step was to add SPF records. I thought about the Joe-job. Since the GMail wizard is good and explains everything, I just executed that step. It's actually really simple.

Anyone else have this experience? I.e. creating SPF records was too easy to just skip it?

Nope

[menelaus]

I don't use them personally and we have very few customers at my current job that will request them.

I used to work for an anti-spam company and the request would come in from time to time to have SPF checking built into our appliances. As developers, we did see the benefit of it. But at the time, there was the SPF vs SenderID vs Domain Keys battle going on. Who would win out?

As it appears years later, no one really did.

The problem with the technology is adoption rates. Unfortunately, many of these technologies are not being adopted by the masses. I'm not saying its hurting you by having these in place, but it also might not be doing as much good as you think that it is.

Re:No, and I won't

[martok]

Actually, DKIM can be used to guarantee a sender. We're using DKIM here with ADSP. That is:
_adsp._domainkey TXT "DKIM=ALL"
tells a receiver that all emails from our domains should be signed. Since the keys themselves are published in our DNS, a machine not under our control should not be able to send an email purporting to be from our domain.

I'm not sure but I would think that mechanism would make SPF irrelavent. Assuming antispam software actually checked the adsp dkim records.

Re:Yes.

[oatworm]

Pretty much the same here - SPF records aren't particularly hard to implement, after all. On the receiving side, I just check for SPF failure (i.e. somebody e-mailing from somewhere other than the domain's SPF-registered mail server), and even those just get sent to users' junk mail folders. I'm certainly not bouncing anything because of them. Based on my mail server reports, it looks like the low SPF filtering is catching about 0.5% of the mail volume that flows my direction, which isn't much, but it's 0.5% less than I would be dealing with otherwise and was implemented "for free", so I'm not complaining.

Re:No, and I won't

[Krondor]

How would that work with trusted partners who may send mail on your behalf? With SPF I can use an include:xxx to define relationships with other systems. With DKIM it seems I would need the partnered system to stamp the sent mail or relay off of our originating servers for DKIM attribute addition (something that might not always be possible). Is there an elegant workaround?

Re:I use them

[digitalchinky]

Not just to add a 'me too' but I recently removed SPF completely - mostly because other people couldn't get their entries correct, or just completely failed to update it when they add in extra servers. Legitimate messages were hitting our spam folders. Since I can't train our fine worker drones to actually look in their spam, I opted just to remove it. With greylisting and spamassassin its removal hasn't made any noticeable difference aside from the false positives now being delivered properly.

Re:No, and I won't

[sprior]

While I can see the reason for your points, I don't agree with the conclusion.

The fact is that implementing SPF comes with a bigger responsibility to account for every machine your email might be sent from. No doubt this can be a big pain and imply compromise.

I have implemented SPF and for me the big downside is that OTHERS don't check it and pay attention to what I've implemented. I still get bounced email which the receiver SHOULD have ignored as forged because it failed SPF checks, but they didn't and bounced it to me anyway.

So my complaint is that being responsible hasn't bought me as much as it should have.

You ARE asking people to throw away your own email

[CritterNYC]

The thing is that due to forwarding and vanity servers, you ARE asking people down the wire (which you can't predict and have NO control over) to throw away mail you sent. When you send to a buddy's vanity domain (that you don't know is a vanity domain) and it forwards your email to their ISP or work account that does check SPF records, your mail gets ditched. And you usually won't get any notice, so your email just disappears.

Using SPF increases the likelihood of your email getting sent into the ether to not return.

The SPF folks themselves acknowledge this as an issue and recommend using SRS to combat it. Of course, since no one uses SRS, it's still an issue.