SPF: Sender Policy Framework
Deployment Progress and Guidance
2005-06-22 MAAWG Fourth General Meeting 1
What was this SPF thing again? (i)
SPF is path authentication, it ties the
sender’s domain to the transport path:
“Who is giving me this message, and Message
are they really who they say they are?” Me
It’s not payload authentication:
“Who wrote this message, and are
they really who they say they are?” Message
2005-06-22 MAAWG Fourth General Meeting 2
What was this SPF thing again? (ii)
To: firstname.lastname@example.org RCPT TO:
Subject: FEEL YOUNG! email@example.com
2005-06-22 MAAWG Fourth General Meeting 3
What was this SPF thing again? (iii)
SPF can prevent...
• HELO forgery:
no misleading information in trace headers and log files
• MAIL FROM forgery:
no misdirected bounces (to a degree), make virms’ lives harder,
basis for domain reputation
Plus, Sender-ID can also prevent...
• PRA forgery:
no phishing (to a degree), basis for domain reputation
2005-06-22 MAAWG Fourth General Meeting 4
What was this SPF thing again? (iv)
example.com TXT "v=spf1 ip4:184.108.40.206 a mx -all"
version direct IP address look up A/MX records ...but nobody else
example.com TXT "spf2.0/mfrom,pra ip4:220.127.116.11 a mx -all"
2005-06-22 MAAWG Fourth General Meeting 5
• Forwarding breaks SPF, if done incorrectly.
– forwarders can do sender rewriting (e.g. SRS).
– receivers can white-list their trusted forwarders.
Try the http://trusted-forwarder.org white-list!
• MAIL FROM checking cannot prevent phishing
• PRA checking cannot prevent misdirected bounces
• Sometimes, MAIL FROM 4 PRA, so generally using
identical policies for both is dangerous.
• The PRA patent license is unsuitable for open-source
2005-06-22 MAAWG Fourth General Meeting 6
Sender Rewriting (SRS & Co.)
When forwarding mail from an SPF-protected domain,
the forwarder should rewrite the sender address,
e.g. by using SRS:
Joe Fwdr Anne
Biggest problem of SRS: the localpart can get longer
than the 64 characters allowed.
2005-06-22 MAAWG Fourth General Meeting 7
How to participate in SPF
Publish SPF records today!
Use record building wizard at http://spf.pobox.com!
Check SPF records! Check Sender-ID records, too,
if you want, but don’t use v=spf1 for PRA!
– SPF patches/plug-ins available for many MTAs:
Qmail, Sendmail, Postfix, Courier, Exim, Exchange
– Sender-ID supported by only a few MTAs yet, most notably
Exchange 2003 (soon) and Sendmail
2005-06-22 MAAWG Fourth General Meeting 8
A short history of SPF
SPF spun off from draft-fecyk-dsprotocol-03
first stable SPF draft, mostly compatible with today
assumed final, submitted to the IETF/IESG
2005-06-22 MAAWG Fourth General Meeting 9
Adoption by domain owners
As of 2005-06, roughly 800,000 domains are known to be equipped
with v=spf1 records to date, 250,000 of them have registered at
the adoption roll. About 6,800 domains have published spf2.0.
2005-06-22 MAAWG Fourth General Meeting 10
More about adoption
...have been among the fastest to publish v=spf1 records
for their domains. SPF doesn’t directly prevent spam, it
just prevents forgery!
A lot of forwarding software (mailing lists, etc.)
already performs sender rewriting in some way, but
much remains to be done, e.g. rewriting support in MTAs
for alias-/dot-forward-style forwarding.
Many receivers have chosen to white-list their trusted
2005-06-22 MAAWG Fourth General Meeting 11
Call to action
Publish SPF records!
Check SPF records!
• Help fund improvements of implementations!
• Lobby MTA developers to support SPF!
Help research reputation schemes!
What types of reputation would you like to use?
Spread the word!
2005-06-22 MAAWG Fourth General Meeting 12