The cult of SPF lives


Years ago, prior to the public discussions of Domain Keys, there was SPF as the solution to all our email authentication problems. SPF was going to let people do all sorts of things with email. The proponents even privately asserted that it would solve the spam problem. In essence, SPF was a cult. BoF sessions at meetings had the flavor of a big tent style revival. Those of us who didn’t support SPF were shunned and belittled. How could we not support such a brilliant protocol? Did we want spam to continue being a problem? All our objections no matter how rooted in reality were dismissed out of hand. SPF was an evangelical, cult-like movement.
I am somewhat sad to announce that the cult of SPF still lives. The most recent example is the number of people that have taken me to task for a recent post I wrote pointing out that SPF records aren’t actually that important for email delivery. My example was that a client of mine had incorrect SPF records (with a -all even) but was still getting inbox delivery at Hotmail. We repaired the records, re-registered them with Hotmail and Hotmail not only isn’t checking them but also sent mail to me admitting they don’t check SPF for incoming email.
My statement was that SPF wasn’t really important to getting email delivered. This seems to have upset a number of people. Someone on twitter pointed out that a valid SPF record gave you a positive score with SpamAssassin. What they didn’t mention was that a valid SPF record gives you an entire -0.001 with SpamAssassin.
Today I get a comment from Tom (which seems more like an ad for his company than an actual comment) that says

When the received timestamp on a message can make the difference as to whether or not you get a multi-million dollar contract or not, do you want to take the risk of having to explain to management that you didn’t take the 5 minutes to register a single DNS entry that may have made a difference?

Tom, I don’t think you understand what SPF is. SPF has nothing to do with timestamps. Having a record or not having a record doesn’t change anything about the time of a message. If a sender doesn’t have a SPF record the time of lookup for that SPF record is going to be the same as if they did.

In fact, in the quick and dirty test I just did here looking at two major ISPs: Yahoo, which doesn’t publish SPF and Hotmail which does publish SPF. Both records are coming back in less than 100 msec. If tens of milliseconds are the difference between getting the contract and not, you have bigger problems than the presence or absence of a SPF record.
So, yes, the cult of SPF still lives, and still makes no sense. SPF still doesn’t do anything to authenticate email. It doesn’t do anything to make any of us safer. Most of the major players in the SPF movement have moved on to other projects. Even Hotmail, that evangelized SenderID (spf v.2), has mostly abandoned it. But, still, the true-believers come out of the woodwork with anecdata about how SPF is vital and important.
Except it’s not actually vital nor important. And it’s long past time for the cult of SPF to die.

About the author


This site uses Akismet to reduce spam. Learn how your comment data is processed.

  • Clickz, who should know better, are sending mail with broken SPF and still gets inbox at Gmail. Meh.

  • SPF does one thing and it does it good: It tells me which IP addresses are allowed (as decided by the dnsmaster of the zone) to send email originating from the domain that has it. This is the (small for some) problem it solves.
    Problems occur when people think that because of that it is an antispam solution. Yes it can help but always keep in mind that someone who you consider as a spammer can have perfectly valid SPF records.
    I like SPF; I do not want it to die. But I also want people understand exactly what its responses mean. As an extreme example consider this record “v=spf1 mx -all”. It may say that you should reject all email from this domain, but you as the receiving Postmaster are free to choose otherwise.

  • adamo: That’s not what that SPF record means, though. It means that the only servers that should emit mail “from” the domain are the listed MXes for the domain.
    Even people who advocate heavily for SPF usually don’t understand it – that’s part of the problem.

  • @steve: @!R!! Gulty as charged, but while typing I was being harassed by kid[2]. The link I’ve provided saves my face. While I was typing I had on my mind both “mx -all” and “-all” 🙂

  • I understand Tom’s point completely.
    When minor things make or break a deal, try proving to senior management that an SPF record did not factor into the transmission of a particular email. Did the sending IP get a different rate limit because of a perceived reputation problem and get queued somewhere and/or forced to retry to a different MX? Millisecond timings are not what received headers are about but it can be tough to prove that the receiver system did not give that email a different policy because some small issue was left to chance.
    When big contracts and livelihoods hang in the balance it’s not a good time to leave things like an SPF record out just because they are not really critical any more, or perhaps never really were. SPF is likely to go the way of old paint and fade away slowly rather than just drop off the planet suddenly.

  • Laura, your subject line is slightly incorrect
    The “cult” of SPF actually thrives and is growing.
    Almost every decent bank today has a SPF record. 50% of worlds fortune 500 companies publish an SPF record. Do you think they are into BS.
    We run anti-spam for 2000 corporates in India , and I havent seen a better rule than “whitelist_auth” ( Rule that uses SPF and others) that helps me maintain a safe whitelisting especially for banks and big corporates.

  • @ram – you’ll find that snowshoe spammers are probably the largest users of SPF, DKIM *and* Domainkeys today.
    Checking that rule as a blanket “good domain” critierion will bite you hard, sooner rather than later. And note – 50% of the world’s banks, 50% of the fortune 500 companies etc having SPF doesn’t make SPF any better or worse than it is. Banks and corporations don’t usually run into the corner cases (forwarding etc) that make deployment of any kind of sender authentication something that is a bit tougher than simply sticking a record into your dns / installing a plugin or milter into your mailservers.
    ps: If you want to claim your userbase size makes this true.. quite a lot of people reading this blog have had / still have userbases that beat yours out by an order or two of magnitude, in terms of domains, mailboxes, you name it. 🙂

  • SpamAssassin’s whitelist_auth rule isn’t a blanket whitelist for all authenticated mail; it still requires the admin to specify which domains’ authenticated mail will be whitelisted.
    That said…the cult of SPF has always trotted out numbers of how many domains have SPF records as proof that SPF is successful. That’s silly; it’s extremely easy to publish an SPF record, and even to keep it accurate (though many forget.) What’s more interesting is how many sites are checking SPF inbound, and what they’re actually doing with SPF failures.

  • SPF isn’t worthless. Measuring the contribution isn’t so easy though. Gmail tests SPF and publishes the pass/fail (along with DK and DKIM) in the message headers. I make sure that my outgoing mail has SPF properly configured along with SenderID, DK and DKIM.
    I think if you are going to do one, it’s simple enough to do all (SPF being one of the easiest to get right). I think that DKIM is trending toward replacing the others. I would like to see destination domains reward DKIM signed mail provided the senders have a good reputation. If dkim + good rep == images on, I think we would see more movement towards adoption.

By laura

Recent Posts


Follow Us