SPF - Sender Policy Framework

LogicX · September 13, 2004, 09:35:48 AM

Matt/ Everyone:

Whats your opinion of http://spf.pobox.com/" target="_blank">SPF? Do you implement it? Do you feel everyone should? IS it the 'right thing' to do?

Specifically as far as qmail/mail toaster is concerned -- Matt -- do you forsee http://wooledge.org/~greg/qmail-srs.html" target="_blank">implementing http://spf.pobox.com/srs.html" target="_blank">SRS (Sender Rewriting Scheme) in the toaster?

Theres a lot of http://it.slashdot.org/article.pl?sid=04/09/13/1317238&tid=172&tid=95&tid=218" target="_blank">buzz on SPF over at slashdot today, as the IETF just decided not to go with Microsoft's implementation.

donavan · September 13, 2004, 06:49:26 PM

http://www.eweek.com/article2/0,1759,1642848,00.asp" target="_blank">http://www.eweek.com/article2/0,1759,1642848,00.asp

It might be the 'right thing' but it wont help you with spam. A good summary post from NANOG http://www.merit.edu/mail.archives/nanog/msg01005.html" target="_blank">http://www.merit.edu/mail.archives/nanog/msg01005.html

LogicX · September 13, 2004, 07:03:12 PM

I see a lot of my spam coming from legit looking domains

A quick survey through 5 spams in my box showed two of them have SPF configured, and the originating source of the spam did not validate against the info in the TXT record.

To me -- that seems like a good thing.

I understand its not end-all
but atleast it'll stop people from being confused by getting spam from domains they trust --

how about all the ebay/paypal scams that come in saying they're from paypal.com/ebay.com? -- those would not match ebay's SPF; and walla -- reject it.

matt · September 14, 2004, 07:03:24 AM

I believe SPF is a good thing. I also plan to implement it in the Mail::Toaster, as soon as I'm comfortable that the implementation isn't going to cause toaster owners more harm than good. For the ones that need it now, there are beta grade patches out there that add SPF support.

Almost a year ago, I added SPF records to my DNS for several of my domains. While this doesn't add SPF to my mail server, it does enable other SPF enabled mail servers to prevent the reception of spoofed email from my domains. This is something everyone should do, regardless of whether they choose to use SPF.

I agree with the conclusions that SPF will not reduce spam, but it will certainly reduce spoofing, one of the most insidious of spams forms. If you've even been the recipient of a mail flood because some spamming pig forged your domain in his reply-to field, you'll understand what I mean.

I also think it'll help diagnose spam more easily as spammers will have to buy domains, set them up with SPF, and thus make them easy to identify via blacklists.

In conclusion, SPF isn't a magic pill, but rather a nice little addition to the spam tools in our arsenal.

netgeek · September 18, 2004, 09:23:50 PM

Here is the libsfp web site for those that are interested.
http://www.libspf.org/" target="_blank">http://www.libspf.org/

interesting news as well.
http://www.internetnews.com/xSP/article.php/3408601" target="_blank">http://www.internetnews.com/xSP/article.php/3408601

LogicX · September 22, 2004, 11:08:26 AM

http://spamassassin.apache.org" target="_blank">SpamAssassin 3.0 was released, which in its ChangeLog lists:
- SpamAssassin now includes support for SPF (the Sender Policy
Framework, http://spf.pobox.com/" target="_blank">http://spf.pobox.com/).

matt · June 07, 2005, 05:46:01 PM

Just a note, SPF is integrated into Mail::Toaster now. Do a search on http://www.tnpi.biz/" target="_blank">http://www.tnpi.biz/ for SPF.

Matt

vantage255 · August 11, 2005, 01:54:48 PM

Is anyone out there using the spamassassin spf filtering rules with success?

I am testing a system where I am allowind my users to enable and set the score of spf tests through the spamassassin DB. This seams to be working pretty well and has the added benefit that any user who complains can be pointed at their own conf settings as the culprit.