Solved

Any downside to implementing SPF (Sender Policy Framework)?

Posted on 2008-10-15
7
1,214 Views
Last Modified: 2012-08-13
I have a customer who has hired a web company to send out "e-blast" emails under the customer's address. In other words, the web company sends out a message addressed to a large number of recipients simultaneously. The messages are sent to interested parties only in the customer's own industry.  This is a legitimate business and not spamming.  

Here's the problem:  some recipients reject the e-blasts because their firewalls detect that the emails are aliased ... that is, the sender address is the customer's email address, but in reality the email is coming from the web company's email server, which is not the same domain.  

The web company is recommending that we have the customer's Internet provider add an SPF Record that will include the web company's server as one of the authorized addresses.  It would also cause all email sent from anyone other than the customer's or the web company's email server from getting delivered, which sounds like a great thing.  Here's what the web company is recommending ...

******************************************************************************************************
Below you will find the SPF record we have created for you. Please forward this email to your IT person and have them add the SPF Record as a record of type TXT to the DNS for your domain.

New SPF Record: v=spf1 a mx ip4:64.78.151.128/26 ip4:216.241.183.0/24 ~all

Note for IT admins
If you did not previously have an SPF record we assume:
1. Your domains inbound email servers may send email (i.e. they are listed as valid senders in the SPF policy).
2. All addresses listed in A records for your domain may send email (i.e. they are listed as valid senders in the SPF policy)
******************************************************************************************************

First, I think they're saying if we don't include the customer's own Exchange server in the new SPF Record that the customer will have problems sending its OWN email. I get that and I can see it would have to be added along with the web company's recommended SPF syntax.  I'm right about that, yes?

Second, and more important...

Is SPF reliable?  I haven't worked with SPF before.  Does it have any downsides?  Is it erratic?  Will it slow the receiving of the customer's emails or anything like that?  Will some recipient email systems refuse to work with it?

Also, do you have any other pointers you think I need to know, to avoid making newbie mistakes in this area?

Thanks!



0
Comment
Question by:dgower
  • 3
  • 3
7 Comments
 

Author Comment

by:dgower
ID: 22726029
ADDING THIS NOTE...

I did a little research and found a helpful page at http://www.openspf.org/Introduction.  Among other things, they say...

"The domain sender policies alone are not worth much  it is the receiving mail servers that need to enforce them. Most mail servers support SPF checking either natively or through extensions.."

Sounds to me like the effect of implementing SPF may be hit or miss, depending on whether a recipient's email server is set up to respond to it.  How well does SPF work on average today?

The same page also warns that the SFP syntax has to be done right or legitimate messages can be blocked.

0
 

Author Comment

by:dgower
ID: 22726121
ADDING ANOTHER NOTE...

Also note the below from the Wikipedia article on SPF.  Sounds like SPF can cause some legitimate forwarded emails to be rejected??

"FAIL and forwarding

SPF does not allow plain message forwarding. When a domain publishes an SPF FAIL policy, then legitimate mails sent to receivers forwarding their mail to third parties can be rejected and bounced if

   1. the forwarder doesn't rewrite the Return-Path, unlike mailing lists,
   2. the next hop doesn't white list the forwarder, and
   3. this hop checks SPF.

This is a necessary and obvious feature of SPF  checks behind the "border" MTA (MX) of the receiver can't work directly.

Publishers of SPF FAIL policies must accept this potential problem. They should test, e.g. with a SOFTFAIL policy, until they are satisfied with the results. See below for a list of alternatives to plain message forwarding."
0
 
LVL 70

Accepted Solution

by:
Chris Dent earned 250 total points
ID: 22726216

> I'm right about that, yes?

Correct, any system you want to send mail as that domain would have to be included.

> Is SPF reliable?  

I haven't seen any problems with it. In most cases problems occur because of the string used, so human error.

> Does it have any downsides?  Is it erratic?  

Not as such, but it isn't universally checked as you've found so it may not be as effective as it should be.

> Will some recipient email systems refuse to work with it?

Yes, but that will have no negative impact, they will simply ignore it.

> How well does SPF work on average today?

Slowly improving. SPF has been around for years now, and it's only just becoming popular.

> Sounds like SPF can cause some legitimate forwarded emails to be rejected??

That's not a problem with SPF itself, rather a problem with mailing list or forwarding implementation. That comes under the category human error. If you account for it in a rule set you won't be troubled by it.

Personally I consider SPF to be well worth it. Anything that reduces potential abuse of a domain is worthwhile.

HTH

Chris
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:dgower
ID: 22726605
Chris-Dent:

This sounds good.  Question ...

I SAID  - > Sounds like SPF can cause some legitimate forwarded emails to be rejected??

YOU REPLIED - That's not a problem with SPF itself, rather a problem with mailing list or forwarding implementation. That comes under the category human error. If you account for it in a rule set you won't be troubled by it.

Could you give me an example of the kind of rule set you're talking about?  Would this be on the email server or are you referring to Microsoft Outlook or something?

Thanks.

0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 22726673

Email server, SPF only works on the server level because clients never send directly to remote systems.

In the forwarder situation you have another server (as a mail server) that picks up and relays the mail on (transparently). But it's not transparent to the server receiving the message and checking the SPF.

It's unusual to bump into a situation where that becomes important, you won't encounter it in the vast majority of configurations. I can't give you a better example than that in the Wiki though.

Chris
0
 
LVL 26

Expert Comment

by:jar3817
ID: 22727752
The only downside I've seen so far is with clueless admins. I deal with a company who has a bad SPF record. By bad, I mean it doesn't match their email server (maybe it did at one point, but it doesn't now) and all their mail lands in my spam folder. It's super annoying. I've emailed them a bunch of times practically spoon feeding them how to fix it, but they either don't get it or don't care.

So if you publish SPF records, make sure your system matches it. Nothing says clueless to potential customers like your mail landing in their spam folders.
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 22728844

See what I mean about human error? :) It's extremely rare to see a problem caused by the system, if you take a bit of care implementing it you will be absolutely fine :)

Chris
0

Featured Post

Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Easy CSR creation in Exchange 2007,2010 and 2013
Phishing attempts can come in all forms, shapes and sizes. No matter how familiar you think you are with them, always remember to take extra precaution when opening an email with attachments or links.
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question