Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


Any downside to implementing SPF (Sender Policy Framework)?

Posted on 2008-10-15
Medium Priority
Last Modified: 2012-08-13
I have a customer who has hired a web company to send out "e-blast" emails under the customer's address. In other words, the web company sends out a message addressed to a large number of recipients simultaneously. The messages are sent to interested parties only in the customer's own industry.  This is a legitimate business and not spamming.  

Here's the problem:  some recipients reject the e-blasts because their firewalls detect that the emails are aliased ... that is, the sender address is the customer's email address, but in reality the email is coming from the web company's email server, which is not the same domain.  

The web company is recommending that we have the customer's Internet provider add an SPF Record that will include the web company's server as one of the authorized addresses.  It would also cause all email sent from anyone other than the customer's or the web company's email server from getting delivered, which sounds like a great thing.  Here's what the web company is recommending ...

Below you will find the SPF record we have created for you. Please forward this email to your IT person and have them add the SPF Record as a record of type TXT to the DNS for your domain.

New SPF Record: v=spf1 a mx ip4: ip4: ~all

Note for IT admins
If you did not previously have an SPF record we assume:
1. Your domains inbound email servers may send email (i.e. they are listed as valid senders in the SPF policy).
2. All addresses listed in A records for your domain may send email (i.e. they are listed as valid senders in the SPF policy)

First, I think they're saying if we don't include the customer's own Exchange server in the new SPF Record that the customer will have problems sending its OWN email. I get that and I can see it would have to be added along with the web company's recommended SPF syntax.  I'm right about that, yes?

Second, and more important...

Is SPF reliable?  I haven't worked with SPF before.  Does it have any downsides?  Is it erratic?  Will it slow the receiving of the customer's emails or anything like that?  Will some recipient email systems refuse to work with it?

Also, do you have any other pointers you think I need to know, to avoid making newbie mistakes in this area?


Question by:dgower
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3

Author Comment

ID: 22726029

I did a little research and found a helpful page at http://www.openspf.org/Introduction.  Among other things, they say...

"The domain sender policies alone are not worth much  it is the receiving mail servers that need to enforce them. Most mail servers support SPF checking either natively or through extensions.."

Sounds to me like the effect of implementing SPF may be hit or miss, depending on whether a recipient's email server is set up to respond to it.  How well does SPF work on average today?

The same page also warns that the SFP syntax has to be done right or legitimate messages can be blocked.


Author Comment

ID: 22726121

Also note the below from the Wikipedia article on SPF.  Sounds like SPF can cause some legitimate forwarded emails to be rejected??

"FAIL and forwarding

SPF does not allow plain message forwarding. When a domain publishes an SPF FAIL policy, then legitimate mails sent to receivers forwarding their mail to third parties can be rejected and bounced if

   1. the forwarder doesn't rewrite the Return-Path, unlike mailing lists,
   2. the next hop doesn't white list the forwarder, and
   3. this hop checks SPF.

This is a necessary and obvious feature of SPF  checks behind the "border" MTA (MX) of the receiver can't work directly.

Publishers of SPF FAIL policies must accept this potential problem. They should test, e.g. with a SOFTFAIL policy, until they are satisfied with the results. See below for a list of alternatives to plain message forwarding."
LVL 71

Accepted Solution

Chris Dent earned 1000 total points
ID: 22726216

> I'm right about that, yes?

Correct, any system you want to send mail as that domain would have to be included.

> Is SPF reliable?  

I haven't seen any problems with it. In most cases problems occur because of the string used, so human error.

> Does it have any downsides?  Is it erratic?  

Not as such, but it isn't universally checked as you've found so it may not be as effective as it should be.

> Will some recipient email systems refuse to work with it?

Yes, but that will have no negative impact, they will simply ignore it.

> How well does SPF work on average today?

Slowly improving. SPF has been around for years now, and it's only just becoming popular.

> Sounds like SPF can cause some legitimate forwarded emails to be rejected??

That's not a problem with SPF itself, rather a problem with mailing list or forwarding implementation. That comes under the category human error. If you account for it in a rule set you won't be troubled by it.

Personally I consider SPF to be well worth it. Anything that reduces potential abuse of a domain is worthwhile.


NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!


Author Comment

ID: 22726605

This sounds good.  Question ...

I SAID  - > Sounds like SPF can cause some legitimate forwarded emails to be rejected??

YOU REPLIED - That's not a problem with SPF itself, rather a problem with mailing list or forwarding implementation. That comes under the category human error. If you account for it in a rule set you won't be troubled by it.

Could you give me an example of the kind of rule set you're talking about?  Would this be on the email server or are you referring to Microsoft Outlook or something?


LVL 71

Expert Comment

by:Chris Dent
ID: 22726673

Email server, SPF only works on the server level because clients never send directly to remote systems.

In the forwarder situation you have another server (as a mail server) that picks up and relays the mail on (transparently). But it's not transparent to the server receiving the message and checking the SPF.

It's unusual to bump into a situation where that becomes important, you won't encounter it in the vast majority of configurations. I can't give you a better example than that in the Wiki though.

LVL 26

Expert Comment

ID: 22727752
The only downside I've seen so far is with clueless admins. I deal with a company who has a bad SPF record. By bad, I mean it doesn't match their email server (maybe it did at one point, but it doesn't now) and all their mail lands in my spam folder. It's super annoying. I've emailed them a bunch of times practically spoon feeding them how to fix it, but they either don't get it or don't care.

So if you publish SPF records, make sure your system matches it. Nothing says clueless to potential customers like your mail landing in their spam folders.
LVL 71

Expert Comment

by:Chris Dent
ID: 22728844

See what I mean about human error? :) It's extremely rare to see a problem caused by the system, if you take a bit of care implementing it you will be absolutely fine :)


Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Email signatures have numerous marketing benefits. Here are 8 top reasons to turn your email signature into a marketing channel.
Granting full access permission allows users to access mailboxes present in their database. By giving full access permission one can open and read the content of any mailbox but cannot send emails from that mailbox.
Familiarize people with the process of utilizing SQL Server stored procedures from within Microsoft Access. Microsoft Access is a very powerful client/server development tool. One of the SQL Server objects that you can interact with from within Micr…
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…
Suggested Courses

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question