[plug] Sender Policy Framework (SPF)

Nick Bannon nick at ucc.gu.uwa.edu.au
Wed Sep 8 16:02:34 WST 2004


On Wed, Sep 08, 2004 at 01:57:42PM +0800, James Devenish wrote:
[...]
> PS. I'm joking. But, basically, as far as I know, the use of SPF is to
> discard messages for which the sender domain has been forged. It does
> not tell us whether an e-mail is legitimate, and for the majority of
> e-mails it tells us nothing about the e-mail. However, it does at least
[...]

Right. That is to say that "validation", like a signature, means
nothing. However it may grow to the point where certain domains can
build a trustworthy reputation for themselves, and SpamAssassin or
similar can take that into account.

Right now, as you were probably referring to, the fact that an email has
passed SPF validation means that it's probably spam.
http://www.ciphertrust.com/spf_stats

I've just been burnt by the working-as-designed realisation that
rejecting mail based on SPF prevents normal SMTP forwarding - you have
to use SRS or similar. (That's OK, but I didn't realise I was already
losing mail due to it ::-))

However, looking into it, my scepticism has gone up a notch with regard
to SPF being anything other than an advisory mechanism.
 * It's tacking its extra meaning into DNS TXT records - fine for
   experimentation, but we're not meant to use that forever, are we?
 * SPF records aren't self contained, or even strictly hierarchial. You
   can recurse by including any other domain's SPF records!
 * The initiator of the spec is encouraging implementors to accept extra
   aliases of keywords, without making that explicit in the spec. That
   can't be a good thing yet, can it?
http://www.imc.org/ietf-mxcomp/mail-archive/msg04455.html
http://archives.listbox.com/spf-discuss@v2.listbox.com/200403/0428.html

Tagging mail with SPF results should be useful, but rejecting mail
based on SPF results seems dangerous. SPF was meant to allow individual
domains to safely recommend rejection of messages that didn't come from
servers they specify, but I can't see that being a reality.

Nick.

-- 
   Nick Bannon   | "I made this letter longer than usual because
nick-sig at rcpt.to | I lack the time to make it shorter." - Pascal




More information about the plug mailing list