SPF: Sender Policy Framework
This is a fairly recent TXT DNS entry that helps protect your organization from spamand spam impersonation. DNS report can do a check on your domain to see if you haveSPF enabled. http://www.dnsreport.com
The following is directly from the SPF website http://www.openspf.org
SPF protects brand equity.
The present SMTP standard for email allows anyone to forge anyone else’s email address.This means I could send anyone a message claiming to be from you, and only an emailexpert would be able to tell the difference.
On April 11, 2003, hoaxsters took advantage of this loophole to cancelclass. Today, most spammers invent email addresses out of thin air when they sendtheir spams. But there’s nothing to stop them from using your name. This is called Joe-Jobbing andit is beginning to happen more often.
Already many people block mail from Hotmail and AOL simply because a lot of spam isforged from those addresses. SPF prevents sender forgery and protects you from trademarkdilution.
SPF reduces inbound spam.
Spam is rising exponentially. A significant majority of spam is forged. SPF allowsyour mail servers to easily distinguish forgeries from real mail. Importantly, SPFworks before the message body is transmitted, saving you the bandwidth costof downloading the message and the CPU cost of filtering it.
SPF is not patent-encumbered.
Challenge-response schemes are inconvenient and subjectto legal liability.
What is the implementation strategy?
You can roll out SPF in two phases.
The transitional phase gives users time to switch to SASL SMTP, and to get used tothe idea of increased security. During this phase, spam detection will improve quicklyas many ISPs start publishing SPF records. During this phase, you set the defaultresponse to “neutral” or “softfail”. (You can identify users who are sending mailthrough unapproved relays by configuring a diagnostic “exists” directive which willcause them to show up in your DNS logs.
When all your users have switched to some kind of authenticated sending (eg. SASL)you can announce to them that the transitional period will end on a particular date.After that date, you can change the default to “fail”: that protects your domain frombeing forged and will be respected by all SPF clients in the field.
How do I keep up with developments?
Managers of email services should jointhe SPF-deployment mailing list.
How long will it take to install?
A first-approximation publishing-only implementation at a large ISP will take betweenfour and eight hours total; it will require coordination between your email administratorsand your DNS administrators. This web site provides detailedinstructions for them. After the initial work is done, you still need to considerSMTP AUTH support, outbound rate-limiting, and some “what’s new” user documentationto reduce customer support costs.
Is there consulting / support?
(20040623) A variety of services offer assistance in deploying SPF and related technologies.
- For small installations, the free wizard isuseful.
- Medium-sized domains may wish to engage independent consultants to assist them withtraining and installation.
- Large customers will probably want to contract with Professional Services vendorssuch as Accenture and EDS. In June 2004, the SPF community started to work with theconsulting industry to perform training and technology transfer. We expect that largeconsulting firms will be ready to work with clients in August 2004.
Please contact wayne@schlitt.net for a freeinitial consultation. Wayne will refer you to the person or organization best suitedto help you.
Are people really going to use this?
The SPF concept was born in early June 2003. A draft RFC has been written and submittedto the IETF for review. SPF has been covered by CNN, CNET, the Washington Post, andothers.
Previously, we had to call the major ISPs and tell them which servers in our addressrange are allowed to send email. That was how we claimed responsibility. We were alreadydoing what SPF does, but we use the telephone rather than DNS. Using SPF is goingto make communicating what we are already communicating that much easier.
Think of the original hosts.txt file that got passed around before DNS. That was howthey did DNS. Now the have DNS and it just makes life easier. That is what SPF is- it is doing something that is already being done but now it is a lot easier.
– J. Gardner, Mass Mail Systems Developer, Amazon.com,
20040714
Already, many large ISPs, including AOL and GMail, have published SPF records, and AOLwill use it for whitelisting in 2004.
The Anti-Spam Technical Alliance comprising AOL, Earthlink, Yahoo, Microsoft, BritishTelecom, and Comcast have endorsed the publishing and use of SPF records in their June2004 report. (We’re not mentioned by name for political reasons, so you have toread between the lines.)
SpamAssassin has SPF support.
DynDNS has altered the TXT configuration for its Custom DNS service to allow peopleto publish SPF records.
PairNIC, eNom, ZoneEdit,and EasyDNS are some of the DNS service providers who support SPF. The .TM Registryhas announced its support for SPF.
Some well-known names protected by SPF today include:
- AOL.com
- Altavista.com
- DynDNS.org
- eOnline.com
- Earthlink.net
- Google.com
- GNU.org
- LiveJournal.com
- MotleyFool.com
- OReilly.com
- Oxford.ac.uk
- PairNIC.com
- Perl.org
- PhilZimmermann.com
- SAP.com
- Spamhaus.org
- Symantec.com
- Ticketmaster.com
- w3.org
Antispam and MTA vendors that support SPF
Sendmail, Sophos, Symantec, GFI Software, Declude Junkmail, Brightmail, IronPort,Ciphertrust, MailArmory, MailFrontier, Roaring Penguin Software, Atlantic Sky, CommunigatePro, and others.>
