SPF - Sender Policy Framework - is broken and must Die

From Computer Tyme Support Wiki

Revision as of 21:57, 10 January 2009 by RoldoMzell (Talk | contribs)
Jump to: navigation, search

site top mature movie woman xxx sixth element movie korn life is peachy torrent jack the rabbit the video game punk video download most violent videogames links proactive video surveillance jamiroquai videos amateur wrestling video clip raw justice movie pics music stacie video axe bahia video japanese av idol video i miss you video by blink 182 pitchshifter torrents ricky martin video clip suture video movie naked warda net activity diagram 2.2 crack recover my files serial keygen allblackmovies com afghanistan war video platoon video music vhs video adult only video game shivaree goodnight moon video sisqo video domain attraction disney video view world kim possible video ncaa lacrosse video massage therapist licensing pam anderson fuck video naughty teacher video clips art confidential movie review school naughty funny video clip sasuke kissing sakura video clips visitn

SPF (Sender policy Framework) Sucks

SPF was a noble attempt to control spam. But it is a failed attempt and is being kept alive by openspf.org. The theory was that if you could tell the world which servers were allowed to send email for a domain then all other servers sending email for that domain could be rejected. The idea was the this information could be sent over DNS and it would be easy to implement. But in practice it wasn't that easy.

The problem is that SPF breaks email forwarding. Let's say that Netflix, which uses restrictive SPF sends an email to its customers sends email to one email address that is set to forward to another. If the receiving server looks at the restrictions then it would reject that email because it is coming from a server that is not listed as a legitimate Netflix server. Our service has this problem as we at Junk Email Filter forward all our messages to other servers.

The suggested work around is that forwarding servers use SRS (Sender Rewriting Scheme) that alters the return path so that the sender because us instead of Netflix. That would allow our forwarded email not to bounce but the address is so altered that the receiving server has to use complex logic to do tests on how to process email on the receiving side. For example if the recipient wants to write a rule to move all their Netflix email into a special folder then they have to test for the altered email addresses rather than the original email address that they are familiar with.

SRS only works if everyone in the world uses it and any idea that requires everyone in the world to change is hopelessly doomed from that start unless there is a compatible migration path. SRS doesn't do that.

So the other work around is to make the rules you advertise less restrictive and say that these are the official servers, but email might come from any other server in the world. So if email might come from anywhere then what good is SPF? What is it telling us that we can use for any reason? Nothing at all.

But - you might say, this could be used for whitelisting. But the problem is that spammers can also use correct SPF records and therefore you would be whitelisting spam. The only possible whitelisting is if you had a list of domains that had SPF records that you wanted to check to whitelist a limited list of domains then maybe you could get some small benefit. But the same thing can be done far easier by tracking hosts in a MySQL karma database without having to do any SPF or manual intervention.

Thus SPF has no benefit at all under any circumstances. But it has a significant downside in the it breaks email forwarding resulting in good email not being delivered and it waste a lot of time of email system developers trying to implement it and finally realizing that it is totally useless when they could have been working on real solutions.

Personal tools