SPF - Sender Policy Framework - is broken and must Die

From Computer Tyme Support Wiki

Jump to: navigation, search

SPF (Sender policy Framework) Sucks

SPF was a noble attempt to control spam. But it is a failed attempt and is being kept alive by openspf.org. The theory was that if you could tell the world which servers were allowed to send email for a domain then all other servers sending email for that domain could be rejected. The idea was the this information could be sent over DNS and it would be easy to implement. But in practice it wasn't that easy.

The problem is that SPF breaks email forwarding. Let's say that Netflix, which uses restrictive SPF sends an email to its customers sends email to one email address that is set to forward to another. If the receiving server looks at the restrictions then it would reject that email because it is coming from a server that is not listed as a legitimate Netflix server. Our service has this problem as we at Junk Email Filter forward all our messages to other servers.

The suggested work around is that forwarding servers use SRS (Sender Rewriting Scheme) that alters the return path so that the sender because us instead of Netflix. That would allow our forwarded email not to bounce but the address is so altered that the receiving server has to use complex logic to do tests on how to process email on the receiving side. For example if the recipient wants to write a rule to move all their Netflix email into a special folder then they have to test for the altered email addresses rather than the original email address that they are familiar with.

SRS only works if everyone in the world uses it and any idea that requires everyone in the world to change is hopelessly doomed from that start unless there is a compatible migration path. SRS doesn't do that.

So the other work around is to make the rules you advertise less restrictive and say that these are the official servers, but email might come from any other server in the world. So if email might come from anywhere then what good is SPF? What is it telling us that we can use for any reason? Nothing at all.

But - you might say, this could be used for whitelisting. But the problem is that spammers can also use correct SPF records and therefore you would be whitelisting spam. The only possible whitelisting is if you had a list of domains that had SPF records that you wanted to check to whitelist a limited list of domains then maybe you could get some small benefit. But the same thing can be done far easier by tracking hosts in a MySQL karma database without having to do any SPF or manual intervention.

Thus SPF has no benefit at all under any circumstances. But it has a significant downside in the it breaks email forwarding resulting in good email not being delivered and it waste a lot of time of email system developers trying to implement it and finally realizing that it is totally useless when they could have been working on real solutions.

Personal tools