[Dshield] Are you using spf records?

Martin Forest martin at forest.gen.nz
Tue Jan 10 01:28:20 GMT 2006


Over the last couple of days, I've done some analyzing at work.
I have analyzed 300000 incoming emails spread over 70000 domain names.
15% of the domains have an SPF record.
3% of the emails had fail during lookup.
13% of the emails had either fail or softfail during lookup.
21% had either fail, softfail or neutral (i.e. if the domain holders that  
currently use SPF could confirm their mail servers and change to -all, 21%  
of the emails could be dropped right away...)
3% had pass.

3% "pass" sounds low so I looked. It is correct, there is so much  
"spoofing" of emails so the "fail" groups/codes are high and the number of  
valid emails is low.

Conclusion:
The more people that actually use SPF, the better it would be. But even at  
the current "low" pic up at 15%, you can safely drop 3 - 13% of emails. At  
home, I'm dropping both fail and softfail with great success. :)

It is interesting to compare Yahoo don't use SPF and Hotmail that does. We  
have 3 TIMES more spam using Yahoo than Hotmail. I just looked at the logs  
for spam detection and we have 1564 rejected spam using Yahoo and only 504  
rejected spam using Hotmail. Yahoo may have an intersting alternative to  
SPF but it does require much more cpu and complex implementation than SPF.  
Overall, domains using SPF records are less spoofed than domains that  
don't.

/Martin Forest



More information about the list mailing list