SPF records: not really all that important

S

I’ve been working through some Hotmail issues with a client over the last few months. One of the things that has become clear to me is how little Hotmail actually does with SPF records. In fact, Hotmail completely ignored my client’s SPF record and continued to deliver email into the inbox.
This isn’t just a sender that had a “well, we think most of our email will come from these IPs but aren’t telling you to throw away email that doesn’t” record. In fact, this client specifically said “if email doesn’t come from this /28 range of email addresses, then it is unauthorized and should be thrown away.” The email was being sent from an IP outside of the range listed in the SPF record.
As part of the process involved in fixing the delivery problems, I had the client update their SPF record and then I enrolled their domain in the SenderID program at Hotmail. This didn’t have any effect, though. Hotmail is still not checking SPF for this client. When I asked Hotmail what was going on they said, “We do not do lookups on every sender’s mail.”
So, there you have it folks. The last bastion of SPF/SenderID has abandoned the technology. Even a totally invalid SPF record doesn’t matter, mail can still reach the inbox at Hotmail.

About the author

6 comments

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  • Dear Laura
    As always I read your posts with a lot of interest and enthousiasm, but this time round however I think you’re going just a tad too fast. Stating “SPF isn’t all that important” just because it appears Hotmail isn’t checking it for every mail they get, is not correct.
    There are just about a million smaller B2B appliance suppliers that will check every mail and WILL discard mail correctly. There are even some big appliance suppliers that will discard your mail if you tell them to in your SPF record (to name one , the default Brightmail appliances).
    So If I were to believe the basic statement “SPF Isn’t that important” and I’d choose not to care about it , my deliverabilty rates would inevitably drop.
    Of course, you can reply that you did not state that people shouldn’t care anymore for SPF but I think it was a bit short stated to say “not that important”.
    Just my impression on your latest blogpost
    Cheers, Bram

  • My experience with 20-odd spam filters is indeed that the vast majority of them ignores SPF -all records, or at the very least doesn’t outright block them. Despite openspf.org suggesting something like that.
    It doesn’t mean that having SPF records isn’t a good idea though.

  • I have to agree with the previous posters. Just because a single provider doesn’t use/investigate SPF records, even one the size of hotmail, doesn’t mean they are worthless. Especially in the business world, non-delivery or even nontimely delivery of email can have significant penalties. Many organizations use eMail as a default information exchange medium for contracts, sales leads, etc. and even as the timestamp/delivery point for RFP/RFQ responses.
    When the received timestamp on a message can make the difference as to whether or not you get a multi-million dollar contract or not, do you want to take the risk of having to explain to management that you didn’t take the 5 minutes to register a single DNS entry that may have made a difference?
    You are correct though that SPF records are not a “magic bullet” for mail delivery. There are a number of things besides registering SPF records that an administrator can do to help ensure proper delviery of mail. Things like:
    Separating eMail and Browsing Traffic
    Publishing PTR records for all outbound mail connectors

  • […] is the number of people that have taken me to task for a recent post I wrote pointing out that SPF records aren’t actually that important for email delivery. My example was that a client of mine had incorrect SPF records (with a -all even) but was still […]

By laura

Recent Posts

Archives

Follow Us