Solved

Any downside to implementing SPF (Sender Policy Framework)?

Posted on 2008-10-15
7
1,212 Views
Last Modified: 2012-08-13
I have a customer who has hired a web company to send out "e-blast" emails under the customer's address. In other words, the web company sends out a message addressed to a large number of recipients simultaneously. The messages are sent to interested parties only in the customer's own industry.  This is a legitimate business and not spamming.  

Here's the problem:  some recipients reject the e-blasts because their firewalls detect that the emails are aliased ... that is, the sender address is the customer's email address, but in reality the email is coming from the web company's email server, which is not the same domain.  

The web company is recommending that we have the customer's Internet provider add an SPF Record that will include the web company's server as one of the authorized addresses.  It would also cause all email sent from anyone other than the customer's or the web company's email server from getting delivered, which sounds like a great thing.  Here's what the web company is recommending ...

******************************************************************************************************
Below you will find the SPF record we have created for you. Please forward this email to your IT person and have them add the SPF Record as a record of type TXT to the DNS for your domain.

New SPF Record: v=spf1 a mx ip4:64.78.151.128/26 ip4:216.241.183.0/24 ~all

Note for IT admins
If you did not previously have an SPF record we assume:
1. Your domains inbound email servers may send email (i.e. they are listed as valid senders in the SPF policy).
2. All addresses listed in A records for your domain may send email (i.e. they are listed as valid senders in the SPF policy)
******************************************************************************************************

First, I think they're saying if we don't include the customer's own Exchange server in the new SPF Record that the customer will have problems sending its OWN email. I get that and I can see it would have to be added along with the web company's recommended SPF syntax.  I'm right about that, yes?

Second, and more important...

Is SPF reliable?  I haven't worked with SPF before.  Does it have any downsides?  Is it erratic?  Will it slow the receiving of the customer's emails or anything like that?  Will some recipient email systems refuse to work with it?

Also, do you have any other pointers you think I need to know, to avoid making newbie mistakes in this area?

Thanks!



0
Comment
Question by:dgower
  • 3
  • 3
7 Comments
 

Author Comment

by:dgower
ID: 22726029
ADDING THIS NOTE...

I did a little research and found a helpful page at http://www.openspf.org/Introduction.  Among other things, they say...

"The domain sender policies alone are not worth much  it is the receiving mail servers that need to enforce them. Most mail servers support SPF checking either natively or through extensions.."

Sounds to me like the effect of implementing SPF may be hit or miss, depending on whether a recipient's email server is set up to respond to it.  How well does SPF work on average today?

The same page also warns that the SFP syntax has to be done right or legitimate messages can be blocked.

0
 

Author Comment

by:dgower
ID: 22726121
ADDING ANOTHER NOTE...

Also note the below from the Wikipedia article on SPF.  Sounds like SPF can cause some legitimate forwarded emails to be rejected??

"FAIL and forwarding

SPF does not allow plain message forwarding. When a domain publishes an SPF FAIL policy, then legitimate mails sent to receivers forwarding their mail to third parties can be rejected and bounced if

   1. the forwarder doesn't rewrite the Return-Path, unlike mailing lists,
   2. the next hop doesn't white list the forwarder, and
   3. this hop checks SPF.

This is a necessary and obvious feature of SPF  checks behind the "border" MTA (MX) of the receiver can't work directly.

Publishers of SPF FAIL policies must accept this potential problem. They should test, e.g. with a SOFTFAIL policy, until they are satisfied with the results. See below for a list of alternatives to plain message forwarding."
0
 
LVL 70

Accepted Solution

by:
Chris Dent earned 250 total points
ID: 22726216

> I'm right about that, yes?

Correct, any system you want to send mail as that domain would have to be included.

> Is SPF reliable?  

I haven't seen any problems with it. In most cases problems occur because of the string used, so human error.

> Does it have any downsides?  Is it erratic?  

Not as such, but it isn't universally checked as you've found so it may not be as effective as it should be.

> Will some recipient email systems refuse to work with it?

Yes, but that will have no negative impact, they will simply ignore it.

> How well does SPF work on average today?

Slowly improving. SPF has been around for years now, and it's only just becoming popular.

> Sounds like SPF can cause some legitimate forwarded emails to be rejected??

That's not a problem with SPF itself, rather a problem with mailing list or forwarding implementation. That comes under the category human error. If you account for it in a rule set you won't be troubled by it.

Personally I consider SPF to be well worth it. Anything that reduces potential abuse of a domain is worthwhile.

HTH

Chris
0
Are your corporate email signatures appalling?

Is it scary how unprofessional your email signatures look? Do users create their own terrible designs and give themselves stupid job titles? You can make this a lot easier for yourself by choosing an email signature management solution from Exclaimer today.

 

Author Comment

by:dgower
ID: 22726605
Chris-Dent:

This sounds good.  Question ...

I SAID  - > Sounds like SPF can cause some legitimate forwarded emails to be rejected??

YOU REPLIED - That's not a problem with SPF itself, rather a problem with mailing list or forwarding implementation. That comes under the category human error. If you account for it in a rule set you won't be troubled by it.

Could you give me an example of the kind of rule set you're talking about?  Would this be on the email server or are you referring to Microsoft Outlook or something?

Thanks.

0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 22726673

Email server, SPF only works on the server level because clients never send directly to remote systems.

In the forwarder situation you have another server (as a mail server) that picks up and relays the mail on (transparently). But it's not transparent to the server receiving the message and checking the SPF.

It's unusual to bump into a situation where that becomes important, you won't encounter it in the vast majority of configurations. I can't give you a better example than that in the Wiki though.

Chris
0
 
LVL 26

Expert Comment

by:jar3817
ID: 22727752
The only downside I've seen so far is with clueless admins. I deal with a company who has a bad SPF record. By bad, I mean it doesn't match their email server (maybe it did at one point, but it doesn't now) and all their mail lands in my spam folder. It's super annoying. I've emailed them a bunch of times practically spoon feeding them how to fix it, but they either don't get it or don't care.

So if you publish SPF records, make sure your system matches it. Nothing says clueless to potential customers like your mail landing in their spam folders.
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 22728844

See what I mean about human error? :) It's extremely rare to see a problem caused by the system, if you take a bit of care implementing it you will be absolutely fine :)

Chris
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

MS outlook is a premier email client that enable you to send and receive the e-mails with various file formats of attachments such as document files, media file, and many others formats. There is some scenario occurs when a receiver of an e-mail mes…
Local Continuous Replication is a cost effective and quick way of backing up Exchange server data. The following article describes the steps required to configure Local Continuous Replication. Also, the article tells you how to restore from a backup…
Familiarize people with the process of retrieving data from SQL Server using an Access pass-thru query. Microsoft Access is a very powerful client/server development tool. One of the ways that you can retrieve data from a SQL Server is by using a pa…
In this video we show how to create a User Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Mailb…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now