Slashdot Mirror
Are You Using SPF Records?
gravyface writes "I've been setting up proper Sender Policy Framework records for all my clients for past year or so, hoping to either maintain or improve their 'reputation' in the email universe. However, there's a lot of IT admins I speak with who either haven't heard of SPF records or haven't bothered setting them up. How many of you are using SPF records for your mail domains? Does it help? How many anti-spam vendors out there use SPF records as part of their 'scorecard'?"
it has cut down tremendously on the spam claiming to be from my domains.
any other benefit I am unaware of.
If I could walk that way I wouldnt need cologne.
That's some nice FUD you've got there. There are some valid points, but the basis for the page is inaccurate. SPF is really meant to be used in conjunction with some other technology like DKIM. SPF is just meant to ensure that one aspect of the process, that the machine sending the email is allowed to do so. DKIM for instance is meant to verify the contents of the email hasn't been tampered with.
Unless something has changed in the last few years, DKID doesn't verify that the server is allowed to send email for that particular domain, just that the email itself wasn't tampered with which has its own issues. For instance, while it does verify that the message hasn't been tampered with, it does not help people that are sending legitimate cold emails to a server of say the sales rep for the company.
My point here being that any technology has issues when one tries to use it in a way for which it isn't designed, but saying that because it can be used improperly that it's therefore dangerous is an argument which lacks merit.
It's winter so there isn't much sun or exposed flesh to worry about. My record for SPF is 50 when I'm bicycling in the noonday sun in the summer.
http://en.wikipedia.org/wiki/Sunscreen
Yahoo, Gmail, MSN/Hotmail, and AOL pretty much require that you have DomainKeys implemented if you want to email their users
I don't have DomainKeys set up, and I've never had any difficulty getting mail to users of any of those services.
Please stand clear of the doors, por favor mantenganse alejado de las puertas
I work for a major anti-spam vendor.
Yes, SPF records are part of the mix at many anti-spam vendors.
However, they aren't part of reputation. Reputation, to describe it simply and without giving away any secrets, is determined by the kind of mail a host or network emits. Whether it has SPF records and/or DKIM-signs its mail does not affect reputation; if you emit junk, your reputation will be junk.
SPF and (moreso) DKIM have value in assessing whether a given mail is a forgery or not (think phishing and related scams). They are not weighted overly much, since people do foolish things like put their work email address into their webmail account all the time, and it causes FPs, for some value of false positive. That is, it's not an FP per se, but the mail is technically legit, so dropping it on the floor isn't the desired action.
In short, don't expect having SPF and DKIM to improve your deliverability much, if at all. That's not where the value-add is. The value-add is helping to separate the sheep from the goats among mail that purports to be from your domain. If you want recipients to be able to (theoretically, since most of them don't/won't check) have greater confidence that a mail that claims to have come from your organization really did so, then yes, implement both SPF and DKIM.
If you're an organization whose customers might be phishing targets, definitely do both. Orgs I've seen targeted for phishing include financial institutions of any size (even a single branch!), various government agencies, educational institutions (not just universities, either), BBB, auto clubs, World of Warcraft accounts, Vonage, Craig's List, all the free webmail providers. If it has a login, and anything a phisher could find to be of value (for practically any value of "value"), there will be phishing attempts.
If your company is one of those - or even if it's not, really - I recommend both SPF and DKIM.
I use them, and what I've found is that they have a very marginal effect (if any) on spam catch rates on your inbound mail. However, they do have a great side benefit. They significantly reduce backscatter, keep yourself off of blacklists, and provide some control of you, your employer, or your client's identity on the web. SPF records provide a mechanism to limit who can spoof as you (as long as recipient servers adhere to them). If you have a risk to yourself or interested parties that someone might spoof your domain (banks!), then SPF provides a means to insure the chain of custody (to an extent).
I do think overall SPF has helped to prevent forged domain letters, but those are less and less common (for those that publish spf). The spammers now either rely on forged domains without DKIM or SPF (why not use both!!) or they send from their own controlled botnet domains and publish legit SPF for themselves as well.
I don't use them personally and we have very few customers at my current job that will request them.
I used to work for an anti-spam company and the request would come in from time to time to have SPF checking built into our appliances. As developers, we did see the benefit of it. But at the time, there was the SPF vs SenderID vs Domain Keys battle going on. Who would win out?
As it appears years later, no one really did.
The problem with the technology is adoption rates. Unfortunately, many of these technologies are not being adopted by the masses. I'm not saying its hurting you by having these in place, but it also might not be doing as much good as you think that it is.
Not just to add a 'me too' but I recently removed SPF completely - mostly because other people couldn't get their entries correct, or just completely failed to update it when they add in extra servers. Legitimate messages were hitting our spam folders. Since I can't train our fine worker drones to actually look in their spam, I opted just to remove it. With greylisting and spamassassin its removal hasn't made any noticeable difference aside from the false positives now being delivered properly.