calum.org:~#

Missing the point of SPF

Tags: email spf spam

Added: 2020-07-04T17:06:42

Missing the point of SPF

Some people don't understand the point of SPF or Sender Permitted From*.

If a spammer decides to use your address as the "from" address on all of his spam emails he's sending out, you'll be deluged with "mailbox full", "user no longer here", or "out of office" replies.
Even better, you might get actual humans who are angry with you for sending them spam.
I've had this happen to me in the past. Even if only 1% of emails fail to be delivered, you still end up with thousands and thousands of these sorts of emails.
If only there was a system by which you could tell the world what valid email servers were for your domain? Then people could ignore invalid emails.

And so SPF was created. You add a small TXT record to your domain's DNS record, and then compliant mail servers can see whether an email allegedly coming from you came from one of the email servers you say is a valid one for your domain.

The idea of this is prevent the sort of mass blowback that occurs when a spammer sends millions of messages out using your domain as the from domain.

So you can see that this email I got completely misses the point:

A message you sent has failed SPF verification due to a record misconfiguration. Email details are below. Please correct your record to prevent SPF verification lookups in future, or forward to your admin for investigation.

Sender: user@mydomain.com
Recipient: chatswood@greenwood.com.au
Subject: Re:2020 hot sell new product

SPF result: fail
SPF record: v=spf1 mx a -all
Talk about missing the point.
No, my SPF record isn't misconfigured. It's doing exactly what it's meant to do, which is tell people which mail servers are allowed to send emails saying they came from mydomain.com. The email even says it's an SPF fail, which means that you should ignore it, and definitely don't send emails back to the from address.

If you run an email server, please make sure you don't send any emails if you get an SPF fail.

* I've just discovered that it hasn't been called this since 2004, so I'm only 16 years behind the times.

posted by Calum on 2020-06-04T22:15 under

Add a comment

Your IP:
Please enter 4136342 here: