Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


Any downside to implementing SPF (Sender Policy Framework)?

Posted on 2008-10-15
Medium Priority
Last Modified: 2012-08-13
I have a customer who has hired a web company to send out "e-blast" emails under the customer's address. In other words, the web company sends out a message addressed to a large number of recipients simultaneously. The messages are sent to interested parties only in the customer's own industry.  This is a legitimate business and not spamming.  

Here's the problem:  some recipients reject the e-blasts because their firewalls detect that the emails are aliased ... that is, the sender address is the customer's email address, but in reality the email is coming from the web company's email server, which is not the same domain.  

The web company is recommending that we have the customer's Internet provider add an SPF Record that will include the web company's server as one of the authorized addresses.  It would also cause all email sent from anyone other than the customer's or the web company's email server from getting delivered, which sounds like a great thing.  Here's what the web company is recommending ...

Below you will find the SPF record we have created for you. Please forward this email to your IT person and have them add the SPF Record as a record of type TXT to the DNS for your domain.

New SPF Record: v=spf1 a mx ip4: ip4: ~all

Note for IT admins
If you did not previously have an SPF record we assume:
1. Your domains inbound email servers may send email (i.e. they are listed as valid senders in the SPF policy).
2. All addresses listed in A records for your domain may send email (i.e. they are listed as valid senders in the SPF policy)

First, I think they're saying if we don't include the customer's own Exchange server in the new SPF Record that the customer will have problems sending its OWN email. I get that and I can see it would have to be added along with the web company's recommended SPF syntax.  I'm right about that, yes?

Second, and more important...

Is SPF reliable?  I haven't worked with SPF before.  Does it have any downsides?  Is it erratic?  Will it slow the receiving of the customer's emails or anything like that?  Will some recipient email systems refuse to work with it?

Also, do you have any other pointers you think I need to know, to avoid making newbie mistakes in this area?


Question by:dgower
  • 3
  • 3

Author Comment

ID: 22726029

I did a little research and found a helpful page at http://www.openspf.org/Introduction.  Among other things, they say...

"The domain sender policies alone are not worth much  it is the receiving mail servers that need to enforce them. Most mail servers support SPF checking either natively or through extensions.."

Sounds to me like the effect of implementing SPF may be hit or miss, depending on whether a recipient's email server is set up to respond to it.  How well does SPF work on average today?

The same page also warns that the SFP syntax has to be done right or legitimate messages can be blocked.


Author Comment

ID: 22726121

Also note the below from the Wikipedia article on SPF.  Sounds like SPF can cause some legitimate forwarded emails to be rejected??

"FAIL and forwarding

SPF does not allow plain message forwarding. When a domain publishes an SPF FAIL policy, then legitimate mails sent to receivers forwarding their mail to third parties can be rejected and bounced if

   1. the forwarder doesn't rewrite the Return-Path, unlike mailing lists,
   2. the next hop doesn't white list the forwarder, and
   3. this hop checks SPF.

This is a necessary and obvious feature of SPF  checks behind the "border" MTA (MX) of the receiver can't work directly.

Publishers of SPF FAIL policies must accept this potential problem. They should test, e.g. with a SOFTFAIL policy, until they are satisfied with the results. See below for a list of alternatives to plain message forwarding."
LVL 71

Accepted Solution

Chris Dent earned 1000 total points
ID: 22726216

> I'm right about that, yes?

Correct, any system you want to send mail as that domain would have to be included.

> Is SPF reliable?  

I haven't seen any problems with it. In most cases problems occur because of the string used, so human error.

> Does it have any downsides?  Is it erratic?  

Not as such, but it isn't universally checked as you've found so it may not be as effective as it should be.

> Will some recipient email systems refuse to work with it?

Yes, but that will have no negative impact, they will simply ignore it.

> How well does SPF work on average today?

Slowly improving. SPF has been around for years now, and it's only just becoming popular.

> Sounds like SPF can cause some legitimate forwarded emails to be rejected??

That's not a problem with SPF itself, rather a problem with mailing list or forwarding implementation. That comes under the category human error. If you account for it in a rule set you won't be troubled by it.

Personally I consider SPF to be well worth it. Anything that reduces potential abuse of a domain is worthwhile.


Fill in the form and get your FREE NFR key NOW!

Veeam is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.


Author Comment

ID: 22726605

This sounds good.  Question ...

I SAID  - > Sounds like SPF can cause some legitimate forwarded emails to be rejected??

YOU REPLIED - That's not a problem with SPF itself, rather a problem with mailing list or forwarding implementation. That comes under the category human error. If you account for it in a rule set you won't be troubled by it.

Could you give me an example of the kind of rule set you're talking about?  Would this be on the email server or are you referring to Microsoft Outlook or something?


LVL 71

Expert Comment

by:Chris Dent
ID: 22726673

Email server, SPF only works on the server level because clients never send directly to remote systems.

In the forwarder situation you have another server (as a mail server) that picks up and relays the mail on (transparently). But it's not transparent to the server receiving the message and checking the SPF.

It's unusual to bump into a situation where that becomes important, you won't encounter it in the vast majority of configurations. I can't give you a better example than that in the Wiki though.

LVL 26

Expert Comment

ID: 22727752
The only downside I've seen so far is with clueless admins. I deal with a company who has a bad SPF record. By bad, I mean it doesn't match their email server (maybe it did at one point, but it doesn't now) and all their mail lands in my spam folder. It's super annoying. I've emailed them a bunch of times practically spoon feeding them how to fix it, but they either don't get it or don't care.

So if you publish SPF records, make sure your system matches it. Nothing says clueless to potential customers like your mail landing in their spam folders.
LVL 71

Expert Comment

by:Chris Dent
ID: 22728844

See what I mean about human error? :) It's extremely rare to see a problem caused by the system, if you take a bit of care implementing it you will be absolutely fine :)


Featured Post

Configuration Guide and Best Practices

Read the guide to learn how to orchestrate Data ONTAP, create application-consistent backups and enable fast recovery from NetApp storage snapshots. Version 9.5 also contains performance and scalability enhancements to meet the needs of the largest enterprise environments.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will help to fix the below errors for MS Exchange Server 2016 I. Certificate error "name on the security certificate is invalid or does not match the name of the site" II. Out of Office not working III. Make Internal URLs and Externa…
This applies to Dell but may also apply to other manufacturers as well. We ran across a few machines that just dropped recently it trust relationship with the server. After doing the basic removing and joining the domain again, it changed to No logo…
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question