mail us  |  mail this page

products  |  company  |  support  |  training  |  contact us

SPF - An Anti-SPAM Measure

We currently believe that Greylisting (and its derivatives) together with SPF are the most appropriate techniques to fight the ever rising tide of SPAM.

The volume of SPAM is rising - rapidly. SPAM increasingly threatens the effectiveness of email as a medium for doing business. Something has to be done.

SPAM and email based attacks are becoming increasingly sophisticated but the sheer volume of low tech SPAM is clogging the arteries of the internet and the inboxes of legitimate users.

There is nothing more annoying and frustrating than to receive a bounce message saying that a mail item - which you did not send - was rejected because it contained a virus or other offensive material. Someone has forged your address. Someone has stolen your identity.

It is estimated that well over 15 billion SPAM messages are sent every day. Some days it feels like they all arrived in our mailboxes!

Classic Solutions

The problem is finding a cure that is not worse than the disease.

We have reviewed and rejected some potential solutions:

  1. Black lists: We refuse to implement a Black List because we feel it can too easily penalise legitimate mail while doing very little to stop SPAM - your SPAM clogged mailboxes are witness to the total lack of effectiveness of Black lists. Having been the unwitting victim of a blacklisting which took less than 2 hours to fix when brought to our notice but took over five years for all the effects to finally disappear we feel the implementation even in major, so-called, professional organizations is not production quality. On its own it is a fatally flawed technique. In combination with other techniques and properly implemented (with constantly refreshed lists) it can add value.

  2. Incoming Mail SPAM Filters: It is not up to us, nor should it be, to decide what constitutes SPAM and what does not. One person's legitimate mail may be another persons SPAM and vice versa. While not doing anything to demean the quality of spam-filtering software, the technology relies on inspection of the mail content. This is a very subjective matter and will inevitably lead to false positives which is why most such systems place suspected spam in a special folder. You still have to check this material - much of it profoundly offensive. How effective is that. Finally, spam filtering has two other problems. It uses the good guy's resources (high-quality spam filtering is resource intensive). It does nothing to hurt the bad guys. See Greylisting for an alternative approach.

The Good Guys vs the Bad Guys

There is action on both technical and legal fronts.

A number of countries and states have passed legislation providing for increasingly stiff remedies to cope with SPAMers but until the problem reaches manageable proportions authorities worldwide will be swamped. How do you stop 500,000+ spammers. Get that number down to a couple of hundred and the authorities stand a fighting chance.

On the technical front the IETF (the group that sets technical standards for the Internet) looked at the problem under the MARID Working Group and failed to come any consensus. The technical debate was just too fierce. SPF appears to be moving slowly forward as an experimental service. Perhaps to be followed by a progressive series of enhancements each squeezing out more and more email vulnerabilities.

So What can We do

We believe it is reasonable for us to reject mail which we know has forged its origin. It is trivially simple for SPAMers to use a legitimate email addresses to send SPAM. Checks to verify this form of SPAM were historically doomed to failure.

But things are changing.

The Sender Policy Framework (SPF) initiative was started in early 2004 to provide a simple means to verify that mail most likely originated from the real sender. The SPF proposal has been forwarded to the IETF for consideration as an Internet standard. There is no guarantee that this will happen. We have provided right hand menu links where you can read more about the SPF initiative.

Having examined SPF we believe it can play a significant role in reducing SPAM and especially in the case of identity theft (forged mail using your email address) which we know is especially troubling to users. SPF uses only Public Domain technologies.

We believe we should implement SPF now - irrespective of its final status as an IETF standard. AOL is probably the biggest - certainly the most visible - company to have implemented SPF to date. Microsoft's alternate proposal SenderID has now been synchronised with SPF. With this kind of commitment and the ~1m domains that have registered their use of SPF (as of mid October 2005) we believe the SPF initiative can be effective and has industry traction.

When using SPF, as mail arrives at our incoming servers the senders domain's Name Server can be interrogated to find if the originating IP address(es) is authorised to send the mail. This process is managed transparently as part of the normal mail delivery. SPF has two implications for users:

  1. You will be able to send company email from any off-site location only by using web mail. Using the off-site service provider's SMTP service will not be authorized for your company domain and would fail an SPF check at the receiver. We believe this has little impact on users but welcome your input.

  2. Permanent Forwarding of mail. If you elect to permanently forward mail for a particular user (typically an ex-employee) this will fail the receivers SPF checks.

We welcome any comment about these issues and in particular any ideas you have whereby we could reduce their impact.

The Call for Action

We support the SPF initiative as a First step to making SPAM a manageable problem.

We are in the middle of a radical overhaul and upgrade of our mail servers and have mapped out a four phase email program:

  1. Phase 1 - Self Implementation - 2004

    1. We have implemented SPF records in all the domain names owned by ZYTRAX (5 domains). HOWTO define an SPF record

    2. We have tested the SPF records with public services.

    3. We have added the SPF logo to our front page and will progressively add the logo to our new mail servers.

    4. Outgoing emails from domains we own contain an SPF compliance statement and link.

  2. Phase 2 - All DNS Domain we Manage - 2005

  3. If we manage your DNS records and mail we request that you authorize us on your behalf to:

    1. Implement SPF records for all the domains that you own and that we manage.

    2. Request that we can publicize your domain name as SPF-enabled to help continue the momentum and to make others aware that your domain may be safely checked using SPF to reject forged mail that has stolen your identity in order to deliver malicious or offensive material.

    3. Help awareness by publicising the SPF initiative. We have no formal plans at this time.

  4. Phase 3 - SPF Incoming Implementation

  5. In late 2005 we plan to reject mail that fails the SPF checks. We will do it in three stages:

    1. Implement SPF rejection on all domains owned by ZYTRAX. We will run this for either 4 weeks or until we are comfortable that there are no negative effects or that the negative effects are acceptable. We will maintain statistics before and after implementation.

    2. Publish the results of our implementation.

    3. Request authorization from all domains whose incoming and outgoing mail we manage to turn on SPF rejection.

      Where a domain has implemented an SPF policy which shows the mail to be illegitimate we will reject it. We will continue to accept mail from domains which have not yet implemented SPF. We may decide to mark this mail as non-SPF checked. We will do this only after consultation with users.

  6. Phase 4 - Encrypted Local Mail

  7. Commencing in January 2006 we plan to progressively implement encrypted mail transmission for all mail users - initially this will be optional - both the current and the encrypted services will be offered. We plan by mid 2006 - and in consultation with users - to eliminate non-encrypted services. This will require a small configuration change for each mail client.

  8. Phase 5 - SPAM Controls on Incoming Mail

  9. During 2007 we will implement greylisting and filtering of incoming mail based on user specific parameters. Our implementation will allow you to control the level and type of SPAM filtering that is done on mail being received by your domain(s) as it enters our system.

We request your help in supporting both our, and industry wide, initiatives, to help reduce SPAM. We cannot promise these measures will stop SPAM, we cannot even estimate how effective these measures will be in reducing SPAM. We promise only two things:

  1. We will in all cases be the 'guinea-pigs' and experiment on our own domains first.

  2. If we do nothing - the problem will simply get worse.



Problems, comments, suggestions, corrections (including broken links) or something to add? Please take the time from a busy life to 'mail us' (at top of screen), the webmaster (below) or info-support at zytrax. You will have a warm inner glow for the rest of the day.

Menu

home
security links
email faqs
healthy email
email headers
SPF Anti-SPAM
Greylisting

If you are happy it's OK - but your browser is giving a less than optimal experience on our site. You could, at no charge, upgrade to a W3C STANDARDS COMPLIANT browser such as Mozilla

web zytrax.com

Share Page

share page via facebook tweet this page submit page to stumbleupon submit page to reddit.com

Page Features

Page comment feature Send to a friend feature print this page Decrease font size Increase font size

Resources

System Security

CERT
SANS Institute

SPAM & Mail

greylisting.org
SPF Web Site
SPF Test Site
sorbs.org
OPEN RELAY TEST
spamfaqs
spam.abuse.net

Cookies

cookiecentral.com

Network Tools

geektools.com

Display full width page Full width page

Print this page Print this page

SPF Record Conformant Domain Logo

Copyright © 1994 - 2014 ZyTrax, Inc.
All rights reserved. Legal and Privacy
site by zytrax
Hosted by super.net.sg
web-master at zytrax
Page modified: December 28 2011.