What's up with SPF?


Writing about Pobox reminded me of Meng Wong's SPF anti-spam system. I've heard nothing about it recently, and a check of openspf.org shows Latest News from June 2008 and April 2007.

What's the health of the project? Are people using SPF? Is it effective? Should I bother updating (fixing, really) the SPF records I added years ago?


SPF is still being used. It's still being discussed. It's still useful at addressing some of the problems with email, but it's still not a silver bullet.




We use SPF (as well as DKIM) to support safe whitelisting in Apache SpamAssassin. If I want to whitelist jm /at/ jmason.org, I can now reliably detect when a mail came from a mail relay authorized by jmason.org.

It hasn't worked out too well as a way to detect spam, though -- there are still too many ways for legit mail to screw it up.

the real-time accuracy results for SA's SPF rules on our test corpora can be found here:

I think SPF has stabilized, which is why they don't comment on it. It's pretty widely used if you dig around for txt records. It has a few hadors too though (blah blah abuses the txt record blah blah).

SRS is even more useful imo. It can prevent "backscatter" with 100% accuracy (in the case you're using a central SMTP server) since you can say authoritatively, "That DSN is a delayed bounce, I know for a fact the original message didn't come from here. Please don't reject messages after you accept them, thanks."

SPF saved my life!

I woke up a few months back to my inbox brimming with bounce back and rejection messages. Instantly I started checking all my mail servers thinking a spammer must have found a security hole...
I found nothing.

Checking the messages and their headers in more detail, the original emails were not from my servers, they were originating from several different IPs around the world.

It turned out that some spammer had decided to target my domain for whatever reason and was pumping out spam with one of my domains as the sender. (This was shortly after some disagreements I had with someone from a mailing list who at the time had threatened to attack my server in some way, of course I can't prove anything... but...)

After some frantic googling I learned all about SPF and quickly implemented it my domains. After a little time for the DNS to propagate the bounce emails all but stopped.

Thank god for SPF, a very good idea and it does indeed get used a lot by spam filters.

Leave a comment

Job hunting for programmers

Land the Tech Job You Love, Andy Lester's guide to job hunting for programmers and other technical professionals, is available in PDF, ePub and .mobi formats, all DRM-free, as well as good old-fashioned paper.