[Dshield] SPF

Brian Dessent brian at dessent.net
Thu Nov 3 23:40:11 GMT 2005

Paul Marsh wrote:

> reducing spam.  To be honest I've never heard of it but it looks like it
> could help reduce spam for the time being?  I also noticed some key
> domains are already using SPF.  What's the general consensus regarding
> SPF?

Sorry to be contrarian, but I don't see SPF as doing a lick of good at
preventing spam.  Everyone that starts a sentence "SPF will prevent
<foo>" or "SPF will force <bar>" is forgetting a very important detail:
in order for SPF to cause any of this to happen, the administrator of
the receiving system has to configure their system to block or reject
based on either the absense of SPF fields in the sending domain or a
negative in the SPF field.  But if you do this today you will block a
metric crapload of legitimate mail that has been forwarded, because SPF
breaks that too.  (They advocate yet another hack of sender-rewriting to
get around this, but that is an even more invasive change that hardly
anyone has implemented or plans to implement.)  The quintessential
example is the <college>.edu domain that lets students that have
graduated continue to receive mail at their former .edu address after
they leave.

This means that nobody in their right mind is going to block anything
based on what SPF says.  You might use it to add weight to a blocking
decision, ala spamassassin, but using it to outright block mail will
cause millions of false positives for anything but toy addresses.

So, it was a nice idea.  But at the end of the day it's just not going
anywhere because it had too many drawbacks.  Put it down on the long
list of interesting things that were tried but that did not work.

You can read the following article by Suresh Ramasubramanian on why his
organization - Outblaze, which operates tens of millions of email
addresses - decided to *stop* publishing SPF records that had been in
place for years.



More information about the list mailing list