Why SPF will never work right...

Thanks for bringing this article to our attention.

Althout relatively recent, it's already outdated.

Yesterday I sat in on a discussion with Meng Wong (who wrote SPF) and with Harry Katz (Microsoft's representative, explaining SIDF).

Wong and Microsoft are now working together again; Wong explains it simply: he explains that you can use SPF on open source servers and SIDF (which includes patents applied for and therefore is incompatible with open source software) on closed-source on Mail Transfer Agents.

I've never loved SPF; it won't do much to eliminate spam at all (though it can be very helpful in eliminating phishing attacks, which is why the US Government is looking into it). But because a lot of servers are already refusing email based on it, we really don't have a choice; if we don't publish SPF records our email won't make it to a lot of domains.

Personally I don't use SPF records to validate incoming email; I agree with Ray Everett-Church's cited examples, but not with the numbers he gives us; it certainly doesn't take an hour to look up even a thousand DNS records.

But I publish SPF records, and will continue to do so, refining them as necessary.

Jeff
 
And how was this explained away?

This approach raises several areas of concern, according to Levine.

First, there has been no large-scale experience in using SPF to reject email. We do know, however, that a non-trivial number of early SPF adopters have found it difficult to correctly describe even relatively simple networks in SPF syntax. Once you factor in more complex arrangements, such as multi-homed inbound/outbound systems, outsourced email and mailing list hosting environments, remote offices with their own email infrastructures, etc.,
we still don't know the extent to which SPF will break email.

Levine experimented by creating a complex series of nested SPF records that are not all that different from a conceivable configuration for a moderately large and widely distributed email infrastructure. His results? Upwards of one hour to look up the SPF records for just a single email. If a legitimate set up could do this, an evil-doer could cause mail servers to launch Denial-of-Service attacks on themselves simply by seeding bogus data in nested records and sending your mail server on a wild goose chase that would bring down your inbound mail.
Click to expand...

and this research by Cypher Trust:

http://www.ciphertrust.com/resources/statistics/spf_stats.html
 
Last edited:
They didn't explain away Levine's concerns, because they didn't address Levine's statements.

They did point out that by now SPF is being used by a lot of folk in a lot of environments, and it is resulting in a lot of email being identified as to sender.

The only "breaking" of email I've seen is with dumb MTAs refusing email based on softfail, which according to Wong, they shouldn't do.

I explain away "Upwards of one hour to look up the SPF records for just a single email" by pointing out that they've got to be blowing smoke or they don't know how to run DNS; our own tests show DNS lookups as taking somewhere between 50 and 1000ms per lookup, with the majority at being under 150ms. And of course you can do many lookups concurrently; I don't know of a single resolver that waits until one lookup is returned before trying another.

I agree with all thoughtful researchers, and with Wong, in pointing out that SPF will NOT stop spam; in fact at this point in time more spammers are using SPF than legitimate email senders.

SPF is just one tool in an arsenal of multiple tools. It is quite effective at blocking phishing attacks, and that's a good thing.

Note that I'm not currently in favor of using SPF on incoming email (though my opinion could change over time); I am in favor of publishing good SPF records so that my clients won't have their mail blocked by folk who use it.

You may decide differently, and then anyone using your server won't be able to send email to anying using AOL, MSN, Hotmail, Yahoo, and many other ISPs as their email address.

Jeff
 
You must log in or register to reply here.
Back
Top