AdrianG (adriang) wrote,
AdrianG
adriang

SPF and why some people are having trouble sending me email.

I'm not certain that every case where someone has had trouble sending me email is a case of SPF related problems, but the two cases for which I've been able to collect any data seem SPF related.

SPF stands for "Sender Policy Framework". It's an anti-spam measure, and I have mixed feeling about it. Every anti-spam measure I'm aware of involves a risk of misidentifying legitimate email as spam. The ISP that handles my email put this anti-spam measure into place without asking me, but in their defense, SPF generally has to be employed at the SMTP server that initially receives email for a domain. As such, it is probably not practical to try to employ this measure for some customers and not for others, and this ISP does have many other customers. In addition, since this measure was employed, my daily ration of spam has dropped from more than 150 useless, offensive, unwanted messages per day from Low Life Spammers to fewer than 10.

Having made excuses for SPF, I have to confess that my own configuration for sending email is not compliant with that standard. There are cases where email I've sent has bounced because SPF records for my domain don't indicate that my IP address is authorized to send email from "nerds.org". I have some advice for anyone who has had email to me or to anyone else bounce because of SPF problems. And I have a feeling that SPF record checking will become more and more common, so I imagine I will have to follow my own advice before too long. 8-)

First, for those trying to send things to me, the ISP that handles my "nerds.org" account is separate from the ISP that handles my broadband connection. The broadband ISP, Time Warner, supports some email addresses for me that I have never used, before Yesterday. One of them is "adriangr1" at "kc.rr.com". You should, of course, join those two strings together, without the quotes, and with an at sign in place of the word "at". Time Warner has their own anti-spam measures, and it's possible that you might stumbler over them, but they do not appear to use SPF.

Second, if you decide to solve the SPF issue, once and for all, understanding a bit SPF would help. SPF is designed to help fight the Unholy Alliance between Low Life Scum Spammers and Evil Virus/Worm Writers. In particular, this Unholy Alliance involves Evil Virus/Worm Writers infecting large number of systems owned by ordinary users and installing programs on them that allow armies of these infected systems to be used by Low Life Scum Spammers to send their spam. I'm simplifying things a bit, but the real point is, that spammers have been frustrated by efforts to blacklist their IP addresses to block their spam, and they've countered by taking control of large number of systems, without permission of the owners, and using those systems to send spam, thereby gaining a continuous supply of many new IP addresses from which to send spam, and making it impractical for anti-spam blacklists to keep up with all the sources of spam.

SPF tries to solve this problem by giving domain owners control over what IP addresses are to be allowed to send email in their name. As an example, "nerds.org" has a way of publishing the fact that email from any "nerds.org" address is only supposed to come from one of two IP specific addresses. In my case, I have my home computer configured to send email directly to it's destination, even though my home IP address is not one of the two authorized to send email claiming to be from "nerds.org". I'm not sending spam, but anyone doing SPF checking will reject email from me. The right solution is for me to reconfigure my system to send email through the ISP that handles my email, but it will require some research to figure out how to do this, and I just haven't done it, yet. As more and more places start to reject my email, I'll feel more pressure to take care of it. I'm guessing that most people don't have this specific problem, because they already use their ISPs to relay outbound email.

The other SPF related problem is that not every sending domain has SPF configured so that every receiving domain will accept its email. On the sending side, SPF lets a domain announce that email for the domain can come from only one IP address, from a range of IP addresses, from any combination of the two, or from all IP addresses on the internet. On the receiving side, SPF lets a domain specify how restrictive the sender's SPF configuration has to be before that receiving domain will accept the sender's email. In the early days of SPF, when it was still largely experimental, those domains that checked SPF records at all often followed SPF restrictions when the sending domain had them but accepted email from any IP address when the sending domain did not have SPF records. Now more and more domains are demanding that some sort of sender SPF configuration must be in place, and some are rejecting configurations that say "any IP address is okay." So, even if you are using your ISP to relay mail, if your ISP's SPF configuration is not restrictive enough, a growing number of receiving domains won't accept your email. It may be that all you can do, in those cases, is try to get your ISP to tighten up its SPF configuration, use another ISP, or see if there's not some way to get the receiving site to whitelist your address. Whitelisting means putting an IP address or email address on a list of addresses that get to bypass SPF checking. In the case of my ISP, it looks like the bounce message they send has an email address to which you can send mail to have your email address whitelisted. This sounds like it would make things to easy for the spammers, but the spammers generally doen't even try to process bounce messages, so it turns out to be a fairly useful approach.

Finally, I want to say that it looks very much like SPF is going to be more and more prevalent. Those of us (including me) who are not yet SPF compliant are going to have more and more trouble sending email until we have not choice to conform. Resistance will ultimately be useless or futile, depending on whether you are more of a Hitchhiker's Guide to the Galaxy fan or a Star Trek fan. 8-)

Adrian
Subscribe
  • Post a new comment

    Error

    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened

    Your IP address will be recorded 

  • 21 comments