Journalism Research and Random Meanderings

Wednesday, March 31, 2004

Sender Policy Framework (SPF): anti-spam technique gains adherents 

SMTP+SPF: Executive Summary


Feb 29 2004

How SMTP+SPF Helps

You ask SPF: "I have someone coming from a certain IP address. They claim to be a certain sender. Are they for real?"

SPF will tell you one of four things:

The sender is good, the sender has previously announced that they do send mail from that IP address.
The sender is bad, the purported sender has published a list of IP addresses they send mail from, and the client IP isn't one of them.
The sender may be good or bad: the sender domain is in a transitional phase; it is methodically converting its users to be SPF compliant, so we should go easy on any violations for the present.
SPF doesn't know: the sender has not published any IP addresses, so the message could be legit, or it could not.

SMTP without SPF cannot do that.

For SPF to answer the question, domain owners have to designate which IP addresses send mail for their domains.

For example, hotmail.com would publish a SPF list that includes 65.54.247.109, 216.33.241.106, and 207.68.163.86, which are all servers which you could reasonably expect to see a hotmail message coming from. But if someone connects from 80.34.201.194 and claims to be a hotmail sender, you would know better than to believe them, because that IP address isn't on the list.


SPF protects brand equity.

The present SMTP standard for email allows anyone to forge anyone else's email address. This means I could send anyone a message claiming to be from you, and only an email expert would be able to tell the difference. Today, most spammers invent email addresses out of thin air when they send their spams. But there's nothing to stop them from using your name. This is called Joe-Jobbing and it is beginning to happen more often. Already many people block mail from Hotmail and AOL simply because a lot of spam is forged from those addresses. SPF prevents sender forgery and protects you from trademark dilution.

SPF reduces inbound spam.

SPF allows your mail servers to easily distinguish forgeries from real mail. Importantly, SPF works before the message body is transmitted, saving the bandwidth cost of downloading the message and the CPU cost of filtering it.

SPF is not patent-encumbered.

Challenge-response schemes are inconvenient and subject to legal liability.

Are people really going to use this?

The SPF concept was born in early June 2003. A draft RFC has been written and submitted to the IETF for review. SPF has been covered by CNN, CNET, the Washington Post, and others.

Already, many large ISPs have published SPF records, and others are waiting to see who else will do it

SpamAssassin will use SPF in version 2.70.

Antispam companies that support SPF include Sophos, Symantec, Declude Junkmail, Brightmail, IronPort, Ciphertrust, MailArmory, MailFrontier, and others.

DynDNS has altered the TXT configuration for its Custom DNS service to allow people to publish SPF records if they want to. If they don't want to, they don't have to.

PairNIC, eNom, ZoneEdit, and EasyDNS are some of the DNS service providers who support SPF.

Some well-known names protected by SPF today include:

AOL.com
Altavista.com
DynDNS.org
eOnline.com
Google.com
GNU.org
LiveJournal.com
MotleyFool.com
OReilly.com
Oxford.ac.uk
PairNIC.com
Perl.org
PhilZimmermann.com
SAP.com
Spamhaus.org
Symantec.com
Ticketmaster.com
w3.org