Most ISP's who employ decent spam filtering will reject mails that fail an SPF or DKIM check.. This is where a domain has an SPF record but the mail comes form a server not listed in the SPF record, or has a DKIM record but there was no domain key. We do this as well, and it rarely causes us any problems and we deal with hundreds of domains and millions of emails a day. If a customer reports not receiving email from a specific email address, we check the logs, if it is an SPF rejection we simply tell them the reason and they will go back to the sender and tell them to sort out their SPF record, which is in fact doing the sender a favour as they will have been getting rejected by many other ISP's as well until someone tells them.
It is the responsibility of domain owners to get this right, if every host/ISP avoided using SPF or DKIM in case someone lost some legit email then the amount of spam you receive would go up a thousandfold. SPF records and proper SPF rejection stops all spoofed emails/spam 100%. However when you reject spam, DO NOT send a response back to the sender, as this results in Back Scatter which causes more problems than the spam itself. On Wed, Apr 10, 2013 at 4:57 PM, Dave Watts <[email protected]> wrote: > > > I'm considering enforcing SPF / DMARC standards on my mail server, > knowing that this will block not only most spam, but also > > some valid emails to my customers. > > > > Has anyone here done the same thing? If so, what are your thoughts. Did > it create a ton of follow-up work for you with clients > > screaming that they're not getting emails, or was there a parade held in > your honor? > > > > Would spam disappear overnight if everyone did the same thing? > > I've enabled SPF filtering on our incoming mail, but it did catch a > lot of "false positives" - enough that I ended up turning it back off > again, essentially. > > The "false positives" weren't really false positives in the strictest > sense, as they were messages that didn't in fact match their > point-of-origin SPF records. But there are a lot of common causes for > this in the enterprise: > - internal mail servers used by application servers > - email-as-a-service senders like SalesForce > - internal mail servers used by pockets of internal users that don't > use the regular corporate email system - you'd be surprised how often > this comes up in large enterprises, or at least I was surprised. > > Spam would disappear overnight if everyone had correct SPF records, > and everyone also filtered by SPF. But then it would reappear the next > day. There's nothing stopping spam from coming from a valid SPF > source, and botnets, for example, could easily send through > compromised but otherwise legitimate hosts. (In fact, I was > exaggerating above as not all spam relies on illegitimate senders even > now.) > > > I know I also have a little work to do to make sure all my SPF records > are correct, knowing that many customers cannot connect > > to my SMTP through their ISP (ie; some Comcast customers), and thus > their outgoing emails would fail the SPF test. I sense a > > customer poll coming on... > > You could specify a soft fail for unauthorized hosts, rather than a > hard fail. But if you're providing a service to customers to allow > them to send mail, it's probably a bad idea to identify some of that > mail as illegitimate, regardless of what your customer poll might tell > you. > > Dave Watts, CTO, Fig Leaf Software > http://www.figleaf.com/ > http://training.figleaf.com/ > > Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on > GSA Schedule, and provides the highest caliber vendor-authorized > instruction at our training centers, online, or onsite. > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:355337 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
