Anti-SPAM Techniques: Sender Policy Framework (SPF)

Friday, November 27, 2009

Did you ever received span from your own address ?

SPF is a Policy Framework to help domain owners to identify and pinpoint all the servers which are expected to send mail from their domain, in a DNS record. Therefore, its possible for SMTP receivers (e.g. MTAs like Exim, Postfix, Qmail etc.) to verify the envelope sender address against this information, and distinguish authentic messages from forgeries - reducing the chance of email 'spoofing', phishing schemes and spam!

Create a SPF record

In the past many people have avoided SPF because of the trouble of setting up the SPF records - especially when using multiple ISP's or having mobile users. Nowadays this task can be simplified through this online tool: The SPF Setup Wizard

Deploy the SPF record

To use the newly created SPF record on a domain, make sure you have access to create a TXT-DNS record for the given domain. If you have access to create a TXT-DNS record all you need is to create such a TXT-DNS record containing the SPF record information, and you are done.

SPF helps avoiding forgery but doesn't resolve the spam problem

The main problem is that there aren't many SPF records out there, so most of your lookups will come up with no information. Besides that, there is a lot of invalid/misconfigured SPF records out there.

But even if everybody were to publish SPF records, and the forgery issue is resolved, it doesn't help prevent spam coming from non-forged envelopes. In fact many spammers started publishing SPF records for their spamming machines, so if you ever thought to use SPF to filter SPAM, you will have to rethink your strategy since it doesn't work.


[1] Sender Policy Framework (SPF) Record and Godaddy. Retrieved on 2009-11-06.

[2] Creating SPF Records. Retrieved on 2009-11-06.