Re: [Declude.JunkMail] SPF Records and Off-Network Customers

[Darin Cox]

As you mentioned, SPF Pass is pretty useless, but SPF Fail is _very_ useful.  It is one of the best and most authoritative tests against forging spam, as they generally (hopefully!) would not be sending from the mail server(s) used by that domain, thus would fail.  Properly implemented and used, this is an indispensable test.   While I wish SPF Pass was worthwhile as well, I'll take what good I can get out of it. Darin.     ----- Original Message ----- From: Matt To: [EMAIL PROTECTED] Sent: Saturday, September 11, 2004 1:03 PM Subject: Re: [Declude.JunkMail] SPF Records and Off-Network Customers I believe that SPF is almost all hype and hardly any value to speak of. It was originally intended to authenticate hosts, but spammers quickly caught on and started giving themselves SPF records ( http://netscape.com.com/2100-1009_22-5357269.html?part=netscape&subj=technews&tag=mynetscape ).  I believe that SPF Pass will soon be primarily spam hits and that study that I linked to said it was already 1/6 of all such results. Then there is the issue where many domains might use forwarding, E-mail scripts, sites that use E-mail scripts, or any number of different servers, meaning that most are inappropriate for anything but an 'Unknown' record.  Now some administrators will claim a modicum of usefulness to having the Unknown records, although I don't see it, and others appreciate those that do specify their source IP's, I don't see it and let me clearly state why.  First off, it's not SPF that is scoring your E-mail, and even some administrators around here have suggested blocking on SPF Fail alone.  So if I had a domain that had only one server to send from, but I used an E-mail script somewhere for an inquiry to a company that blocks on SPF Fail, I would be shooting myself in the foot.  There are enough people out there misconfiguring their SPF records, and enough people out there that have too much confidence IMO in people setting up their own records to turn this from a minor benefit into a less accurate than desirable solution, and it will only get worse in time as the less aware start implementing them with a one-click solution to limit all E-mail just to one server as far as SPF goes.  There are even administrators out there that have indicated that they would give SPF Unknown results a score. Personally I refuse to implement SPF because I don't want to give less aware/experienced administrators another tool that they can use to potentially block my customer's legitimate E-mail.  I am also somewhat surprised that so many people are waving the banner of SPF.  The only reason IMO to support SPF is to hope that with the support, it turns into something worthwhile down the road after significant modification. Seems to me that pushing SPF currently is done more to say that you do it rather than for what SPF does, a.k.a. a buzzword. Matt David Dodell wrote: Saturday, September 11, 2004, 7:04:55 AM, Darin Cox wrote: Yes. One of the flaws of SPF. However, you can also use a weaker SPF record that says basically that you don't know what mail server it is coming from. Not much point in that except to say that you're using SPF, though I suppose it might be possible that a particular mail admin might penalize sites that haven't implemented SPF in spam weighting. This is not good ... I don't see SPF becoming a useful tool, since I have a few customers in this particular situation, and without widespread SPF implementation I don't see it particularly helpful. A caveat on the above flaw: SPF does have the ability to reference another domains SPF records, so if the ISP in question has implemented SPF you should be able to "inherit" their SPF implementation by referencing it in your own. I haven't had an occasion to try that out yet, though. But this requires me to keep up each customers ISP ... what a pain. And what happens when one travels? I was traveling a few weeks ago, and the hotel's IP connection had port 25 blocked ... so I couldn't use my own SMTP server remotely using SMTP AUTH. I called the hotel's ISP and they opened up port 25 for my room's IP for my stay since I was going to be there for a week, but the average person is not going to do this. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. -- ===================================================== MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ =====================================================