Results 1 to 22 of 22
Thread: SPF for mail
-
04-25-2005, 04:13 PM #1Web Hosting Master
- Join Date
- Jul 2002
- Posts
- 609
SPF for mail
Is anybody using this ? And is there pros and cons?
Sender Policy Framework (SPF) fights return-path address forgery and makes it easier to identify spoofs
http://spf.pobox.com/
-
04-25-2005, 04:29 PM #2Web Hosting Master
- Join Date
- Jun 2000
- Location
- Washington, USA
- Posts
- 5,990
I'm using it on a few domains, works quite well for me. As well, I check SPF records, and I certainly cut down on phishing e-mails.
-
04-25-2005, 04:29 PM #3Managed Hosting Expert
- Join Date
- Jan 2004
- Location
- North Yorkshire, UK
- Posts
- 4,164
No cons that I can see so long as you do it properly, I'm using it and have also implemented into cPanel DNS zone templates.
Dan█ Dan Kitchen | Technical Director | Razorblue
█ ddi: (+44) (0)1748 900 680 | e: dkitchen@razorblue.com
█ UK Intensive Managed Hosting, Clusters and Colocation.
█ HP Servers, Cisco/Juniper Powered BGP Network (AS15692).
-
04-25-2005, 11:37 PM #4Web Hosting Master
- Join Date
- Apr 2002
- Posts
- 938
No cons on publishing an SPF record. Infact everyone should publish SPF records for all their domains.
As for implementing SPF checking on incoming mail? You might lose some legitimate emails.Fahd - Server Monitoring | Webhost Ranking
-
04-26-2005, 03:00 AM #5Web Hosting Master
- Join Date
- Jul 2003
- Location
- Nothing but, net
- Posts
- 2,064
Originally posted by RazorBlue - Dan
No cons that I can see so long as you do it properly, I'm using it and have also implemented into cPanel DNS zone templates.
Dan
No ill effects and everything appears to be good.
-
04-26-2005, 08:42 AM #6Junior Guru
- Join Date
- Feb 2003
- Location
- Bay Area, CA
- Posts
- 215
Unfortunately the system is quite flawed and will take a long time to be adopted on a wide scale (if ever).
Spammers have been adding SPF records in order to get by this system...in fact a spammer was the first ever to use an SPF record.
It can't really hurt to add the records, and filtering using the records may cut down on some spam, but to think this is the solution to the spam problem is quite a stretch. I wouldn't put much effort into adopting this system.
-
04-27-2005, 03:37 AM #7Web Hosting Master
- Join Date
- Apr 2002
- Posts
- 938
The system doesn't claim to stop spam!
The system claims to stop forged emails/emails with forged headers. And in turn reduce generation of bounce messages to the innocent party.
The system works very well for what it claims to do!
From http://spf.pobox.com
What is SPF?
SPF is Sender Policy Framework
SPF fights return-path address forgery and makes it easier to identify spoofs.
Sender ID adds PRA checking.
Domain owners identify sending mail servers in DNS.
SMTP receivers verify the envelope sender address against this information, and can distinguish authentic messages from forgeries before any message data is transmitted.Fahd - Server Monitoring | Webhost Ranking
-
04-27-2005, 03:49 AM #8Web Hosting Master
- Join Date
- Jul 2003
- Location
- Nothing but, net
- Posts
- 2,064
Originally posted by Huminie
Unfortunately the system is quite flawed and will take a long time to be adopted on a wide scale (if ever).
Spammers have been adding SPF records in order to get by this system...in fact a spammer was the first ever to use an SPF record.
It can't really hurt to add the records, and filtering using the records may cut down on some spam, but to think this is the solution to the spam problem is quite a stretch. I wouldn't put much effort into adopting this system.
This system was designed to prevent email from claiming to be sent from hotmail or yahoo when it was really sent from no address at all.
This would at least help prevent phishing and joe jobs. It would also stop spoofed spam which is a severe problem.
-
04-27-2005, 04:34 AM #9Web Hosting Master
- Join Date
- Jul 2002
- Posts
- 609
You might lose some legitimate emails
-
04-27-2005, 12:15 PM #10Managed Hosting Expert
- Join Date
- Jan 2004
- Location
- North Yorkshire, UK
- Posts
- 4,164
It's not a con, let me explain how it works. It's a great tool to stop people recieving e-mails such as those spoofs that many get from banks, eBay, etc etc.
When an e-mail is sent out, say for example mail is being sent FROM hotmail TO yahoo.
**First example - legit email**
-The Mail is sent from Hotmail's servers
-Yahoo's servers recieve it and look for hotmail.com's SPF record.
-Hotmail's SPF record says mail can only come from the 1.1.1.0/24 IP range.
-The email came from this range, and is recognised as OK, and delivered to the user.
**Second example - spoofed e-mail**
-The Mail is sent from Hotmail's servers
-Yahoo's servers recieve it and look for hotmail.com's SPF record.
-Hotmail's SPF record says mail can only come from the 1.1.1.0/24 IP range.
-The email didn't come for this range and is flagged as negative.
-The email doesn't get delivered.█ Dan Kitchen | Technical Director | Razorblue
█ ddi: (+44) (0)1748 900 680 | e: dkitchen@razorblue.com
█ UK Intensive Managed Hosting, Clusters and Colocation.
█ HP Servers, Cisco/Juniper Powered BGP Network (AS15692).
-
04-27-2005, 01:16 PM #11Junior Guru
- Join Date
- Feb 2003
- Location
- Bay Area, CA
- Posts
- 215
I have a very good understanding of what SPF claims to do and what the perceived benefit will be and it is my opinion that implementing the use of SPF is not worth the time it takes to implement. (And it doesn't take much time, so what does that say?)
It won't stop spoofs, it won't stop phishing and it won't stop spam. I will not waste my time implementing a system with so few benefits when there are some many better ways to address all these issues.
If you guys are using it and perceive a benefit, then good for you. I personally can't recommend this as a solution that provides any real world value and the slow adoption rate of the technology suggests others agree with me as well.
-
04-27-2005, 01:59 PM #12Junior Guru
- Join Date
- Jan 2005
- Posts
- 203
Originally posted by Huminie
I have a very good understanding of what SPF claims to do and what the perceived benefit will be and it is my opinion that implementing the use of SPF is not worth the time it takes to implement. (And it doesn't take much time, so what does that say?)
It won't stop spoofs, it won't stop phishing and it won't stop spam. I will not waste my time implementing a system with so few benefits when there are some many better ways to address all these issues.
Norton, McAfee - won't stop viruses, does that stop you from using Antivirus software?
Nothing can stop spam right now, but the industry can definitely take measures to reduce it. If you're not one of them, that makes one addtional VAS for everyone else who does.
When used in combination with DomainKey's the solution is quite powerful, that in conjunction with Spam Software, a better solution than just having spam software. The point isn't to be perfect, but to continue the effort to reduce spam.
-
04-27-2005, 02:24 PM #13Web Hosting Master
- Join Date
- Mar 2004
- Location
- New Jersey
- Posts
- 798
Originally posted by Huminie
I have a very good understanding of what SPF claims to do and what the perceived benefit will be and it is my opinion that implementing the use of SPF is not worth the time it takes to implement. (And it doesn't take much time, so what does that say?)
It won't stop spoofs, it won't stop phishing and it won't stop spam. I will not waste my time implementing a system with so few benefits when there are some many better ways to address all these issues.
If you guys are using it and perceive a benefit, then good for you. I personally can't recommend this as a solution that provides any real world value and the slow adoption rate of the technology suggests others agree with me as well.
-
04-27-2005, 03:03 PM #14NetOps Guy
- Join Date
- Jan 2005
- Location
- San Francisco/Hot Springs
- Posts
- 991
I use it, it seems to work.
On the servers that I have it setup on, it seems to reject enough forged mail for me to notice heh.AppliedOperations - Premium Service
Bandwidth | Colocation | Hosting | Managed Services | Consulting
www.appliedops.net
-
04-27-2005, 03:42 PM #15Junior Guru
- Join Date
- Feb 2003
- Location
- Bay Area, CA
- Posts
- 215
One of my favorite expressions is "work smarter not harder". I guess that about sums it up.
-
04-27-2005, 03:58 PM #16Newbie
- Join Date
- Oct 2002
- Posts
- 18
SPF is about working smarter not harder.
Rather then wasting server resources processing virus laden email claiming to be from Microsoft, check if they were sent from Microsoft using SPF.
I've been using it for my outbound and inbound mail, and it is useful. In fact, it's extremely quick adoption and rapid pickup by major players (who have taken years and years on other ideas) is evidence of the obvious value of SPF.
Given your indepth knowladge of SPF, I would suggest contacting the major spam groups (who are also informed on the issue of spam) along with Amazon, Apple, DoubleClick, Eart*****, Google, O'Reilly, Symantec, Verizon and AOL, to alert them that they have hired idiots who have done something useless.
The fact is, SPF stops cold the risk that innocent domains get blamed for spam attacks. You have obviously never run a business with a large user base or a high value website. I can tell you that having someone spam using your domain is a huge pain in the neck. This fixes that.
Clearly doesn't pick up purported sender, which I do think was an oversight, but flexability is being built in to addess some of these added isssues, along with new proposals.
Implementation is trivial, and good practice actually for further approaches as they are developed.
-
04-27-2005, 05:13 PM #17Junior Guru
- Join Date
- Feb 2003
- Location
- Bay Area, CA
- Posts
- 215
I have stated my opinion about SPF. I am sorry you don't agree with it. That is your choice, and everyone else's. The reason we have these discssions and boards is to get different points of view.
For what its worth I use a system that does everything SPF does plus more, is easier to implement and never wastes server resources.
Also, your assumption about what I and my business do is wrong. The company I work for processes more email than most of the companies you listed.
-
04-27-2005, 05:26 PM #18Web Hosting Master
- Join Date
- Apr 2002
- Posts
- 938
You can lose some legitimate email by implement SPF checking on incoming emails. This can usually happen in the case where some people use their ISP email account to send mail but set the sender and relpy to addresses as something else other than their ISP email account. Quite a few people do this, so you could lose mail from these people. Another issue is for those people who use forwarding email accounts.
Publishing an SPF record on the hand has no ill effects whatsoever and the benefits are great.
I have no idea what Huminie is referring to here as ill effects. And I sure am not aware of any of these great alternatives that he doesnt speak about but says exists. Care to share some of them with us?
I'll say it again, SPF does what it claims to do and is great at it!
PS: By the way, SPF is being widely adopted!
Hotmail, AOL, Everyone.net, and several other ISPs and email providers have already published SPF records. AOL takes it a step further requesting their whitelisted domains to publish SPF records. http://postmaster.aol.com/spf/
Even on the hosting side, you find major control panel manufacturers including or having an option to publish SPF records seamlessly for domains created through the control panel system.Fahd - Server Monitoring | Webhost Ranking
-
04-27-2005, 05:30 PM #19Web Hosting Master
- Join Date
- Jul 2002
- Posts
- 609
Thanks for the ...responses as it has answered a few question I hadnot thought of
regards
-
04-27-2005, 08:53 PM #20Web Hosting Master
- Join Date
- Mar 2004
- Location
- New Jersey
- Posts
- 798
Originally posted by Huminie
I have stated my opinion about SPF. I am sorry you don't agree with it. That is your choice, and everyone else's. The reason we have these discssions and boards is to get different points of view.
You say that SPF offers no value for the effort, but acknowledge it's an extremely simple process. You say that you understand what it does, but continue to point out that it doesn't stop spam, spoofing or phishing. You point out slow adoption then sidestep the issue of it being adopted by some of the most popular ISPs and businesses on the internet with "my business is better than them". I still don't see why you think it won't work. Correct me if I'm wrong, but unless a spammer controls my DNS information the system will work, no?
To grace5: The bottom line is this: in the changing world of the web, SPF is one more way to add to the layers of protection you should be implementing on your server(s). At the very least, it doesn't hurt to add an SPF line to your DNS zone file. If whizzing on a spark plug and shoving it in a USB port would help reduce costs for my customers I am sure I would do it.
-
04-27-2005, 09:20 PM #21Web Hosting Master
- Join Date
- Jun 2000
- Location
- Washington, USA
- Posts
- 5,990
I would say, that when checking SPF records, you shouldn't accept/reject based on them. But, use it in conjunction with other systems, such as SpamAssassin.
-
05-29-2005, 01:43 PM #22WHT Addict
- Join Date
- Jul 2003
- Location
- Olean, NY
- Posts
- 143
I don't publish spf records for a simple reason: SPF checks the sending IP address, and compares it to the list of IP addresses allowed to send mail from that domain.
As an IHP, I encourage my users to send messages from their ISP's smtp servers if at all possible. It cuts down on our bandwidth, gives them faster service, and ensures that they can still send mail if their ISP blocks port 25.
Since I can't maintain a list of the valid IP addresses for every customer's ISP's smtp server, it means that publishing an SPF record would cause my customer's mail to get rejected. If I used a wildcard it would defeat the whole purpose of SPF.
I do use spf filtering for incoming emails. If an ESP chooses to publish an spf record, it means that they have a business model that supports a list of trusted smtp servers, and I would like to utilize that information. Filtering incoming SPF certainly helps cut down on all the forged hotmail/yahoo messages, and also protects customers against phishing.