BLOG

SPF records: not really all that important

I’ve been working through some Hotmail issues with a client over the last few months. One of the things that has become clear to me is how little Hotmail actually does with SPF records. In fact, Hotmail completely ignored my client’s SPF record and continued to deliver email into the inbox.

This isn’t just a sender that had a “well, we think most of our email will come from these IPs but aren’t telling you to throw away email that doesn’t” record. In fact, this client specifically said “if email doesn’t come from this /28 range of email addresses, then it is unauthorized and should be thrown away.” The email was being sent from an IP outside of the range listed in the SPF record.

As part of the process involved in fixing the delivery problems, I had the client update their SPF record and then I enrolled their domain in the SenderID program at Hotmail. This didn’t have any effect, though. Hotmail is still not checking SPF for this client. When I asked Hotmail what was going on they said, “We do not do lookups on every sender’s mail.”

So, there you have it folks. The last bastion of SPF/SenderID has abandoned the technology. Even a totally invalid SPF record doesn’t matter, mail can still reach the inbox at Hotmail.

6 comments

  1. Bram Van Daele says

    Dear Laura

    As always I read your posts with a lot of interest and enthousiasm, but this time round however I think you’re going just a tad too fast. Stating “SPF isn’t all that important” just because it appears Hotmail isn’t checking it for every mail they get, is not correct.

    There are just about a million smaller B2B appliance suppliers that will check every mail and WILL discard mail correctly. There are even some big appliance suppliers that will discard your mail if you tell them to in your SPF record (to name one , the default Brightmail appliances).

    So If I were to believe the basic statement “SPF Isn’t that important” and I’d choose not to care about it , my deliverabilty rates would inevitably drop.

    Of course, you can reply that you did not state that people shouldn’t care anymore for SPF but I think it was a bit short stated to say “not that important”.

    Just my impression on your latest blogpost
    Cheers, Bram

  2. Martijn Grooten says

    My experience with 20-odd spam filters is indeed that the vast majority of them ignores SPF -all records, or at the very least doesn’t outright block them. Despite openspf.org suggesting something like that.

    It doesn’t mean that having SPF records isn’t a good idea though.

  3. Tom Owen says

    I have to agree with the previous posters. Just because a single provider doesn’t use/investigate SPF records, even one the size of hotmail, doesn’t mean they are worthless. Especially in the business world, non-delivery or even nontimely delivery of email can have significant penalties. Many organizations use eMail as a default information exchange medium for contracts, sales leads, etc. and even as the timestamp/delivery point for RFP/RFQ responses.

    When the received timestamp on a message can make the difference as to whether or not you get a multi-million dollar contract or not, do you want to take the risk of having to explain to management that you didn’t take the 5 minutes to register a single DNS entry that may have made a difference?

    You are correct though that SPF records are not a “magic bullet” for mail delivery. There are a number of things besides registering SPF records that an administrator can do to help ensure proper delviery of mail. Things like:
    Separating eMail and Browsing Traffic

    Publishing PTR records for all outbound mail connectors

  4. The cult of SPF lives – Word to the Wise says

    […] is the number of people that have taken me to task for a recent post I wrote pointing out that SPF records aren’t actually that important for email delivery. My example was that a client of mine had incorrect SPF records (with a -all even) but was still […]

  5. The Proverbial Barry says

    what does spf hav to do with time stamps

  6. How To Send One Billion Email Marketing Messages Per Month « Mike Hillyer's Personal Webspace says

    […] SPF, SenderID, DomainKeys (DK) and DomainKeys Identified Mail (DKIM). There are indications that SPF (and SenderID by association) is ineffective but given the low effort required to implement it I would recommend doing so anyway. While SPF and […]

Comment:

Your email address will not be published. Required fields are marked *

  • AOL FBL change

    Reminder for folks, AOL is changing their FBL from address starting on Jan 17th. AOLlogoForBlogThe (in)famous scomp@aol.net is going away to be replaced by fbl-no-reply @ postmaster.aol.com. These messages will be signed with the d= mx.postmaster.aol.com. Time to update your scripts!No Comments


  • Vague reports of Yahoo problems

    A number of people, on different forums, have been asking if anyone is seeing a higher bounce rate than usual with Yahoo. Not sure exactly what's going on here. As I understand it, folks are talking with Yahoo about it. If I hear anything more, I'll share. For now, though, if you're seeing a small increase in Yahoo bounces (or other weirdnesses) others are seeing something odd, too.No Comments


  • Responsive design just got easier at Gmail

    Today Gmail announced they are supporting media queries in Gmail and Google Inbox. This should simplify the creation of emails for multiple platforms. The full list of supported rules can be found on the Google Developer Site.No Comments


Archives