The problem with SPF records
July 30th, 2007 | by useful | in Rants |Quick does your domain have a SPF record? In linux type the command below and you should see something like:
# dig yourdomain.com TXT +short
“v=spf1 a mx -all”
I’ve been kind of appalled on how some websites still haven’t implemented SPF records to fight spam. On top of the non adopters you have people who haven’t implemented their records correctly. Most of the SPF implementations are from idiots that use a horrible wizard that suggest they use a soft fail(?all) for any server that doesn’t match their allowed server list. Soft fail doesn’t work. All major email services let through SOFTFAIL and NEUTRAL email. The SPF website has a better spf wizard but unfortunately it doesn’t come up in most searches.
Why should you use -all over any other? It means FAIL. Its the only way to tell another mail server that it shouldn’t accept mail from an unauthorized source. Any server that is not defined in the SPF record should automatically fail authentication. Using FAIL is the only way to minimize spam. SOFTFAIL and NEUTRAL do nothing to combat people masquerading as your domain. FAIL is also the only way to stop receiving bounce messages for spam sent spoofing itself as coming from your domain.
“+” Pass
“-” Fail
“~” SoftFail
“?” Neutral
Don’t understand how SPF works? Your SPF record should identify all the servers that are allowed to send mail as your domain. All modern websites let through email that is SOFTFAIL and NEUTRAL and PASS. I blame SPF Generators for this problem as most of them generate SOFTFAIL which all the big email sites like GMail and Hotmail let through.
Here is what all email servers do when they check SPF records
| Result | Explanation | Intended action |
| Pass | The SPF record designates the host to be allowed to send | accept |
| Fail | The SPF record has designated the host as NOT being allowed to send | reject |
| SoftFail | The SPF record has designated the host as NOT being allowed to send but is in transition |
accept but mark |
| Neutral | The SPF record specifies explicitly that nothing can be said about validity |
accept |
| None | The domain does not have an SPF record or the SPF record does not evaluate to a result |
accept |
| PermError | A permanent error has occured (eg. badly formatted SPF record) | unspecified |
| TempError | A transient error has occured | accept or reject |
The only option to combat spam effectively is to FAIL any server that is sending email and is not defined as allowed.
PLEASE FAIL ANY UNAUTHORIZED EMAIL
Thanks
July 30th, 2007 at 9:28 am
Not sure if you have a SPF record? The linux command `dig` is great for finding out.
# dig yourdomain.com TXT +short
it should respond with something like “v=spf1 a mx -all”