
Why you shouldn't jump on the SPF bandwagon (2005) - porjo
http://david.woodhou.se/why-not-spf.html
======
livebsd
I've been managing my own mail server since forwever (when nanae was still a
thing: news.admin.net-abuse.email).

SPF is not too bad as far as forging countermeasures work. It's relatively
simple both to implement and to check. I'm not against it.

What I don't like is every single other standard they pushed later. I
personally think DMARC is borderline useless. DKIM is plainly horrid and
breaks just about everything you'd expect from email such as mailing lists,
while not solving anything both from a legitimacy perspective and from a spam
perspective.

Like everybody says, the "recommended" solution is to pour each and every of
these half-assed solutions into a score system. Which sucks, because when a
legitimate email is rejected, the fix is never trivial: it could be just a
perfectly legitimate host which decided that all these solutions are crap (and
they're right).

You know my current 90+% spam and scamming source by volume? It's gmail.com.
It's passing all these checks, of course. It's the reason I consider DKIM
virtually useless even from a legitimacy perspective: a valid DKIM signature
from any large/free email provider bears no significance to the point that
even if I had a decent UI for validation in my email client, I would basically
have to avoid it: "oh, right, another _legit_ scam from gmail.com".

~~~
garaetjjte
It is SPF that completely breaks mailing lists, DKIM is necessary to fix it.

DMARC just specifies reporting and policy, DKIM is almost useless (except as
SPF fail override) without it (because you don't know if it should have
signature or not)

~~~
brightball
DKIM without DMARC is the issue. Mail servers have no way of knowing that an
email with no DKIM signature was supposed to have one unless you’ve set a
DMARC policy to make it clear.

------
jedberg
I helped develop SPF, and created what may still be the "largest" SPF record
(eBay.com and PayPal.com). That being said, the author is mostly right. You
shouldn't reject email that fails SPF.

BUT, there is a use for SPF. You add it as a factor in your spam filter.
Deduct points for an SPF failure, or make it an aspect among many in your
filters. It's still a useful way for one org to tell another org, "here are
the IPs you should expect mail to come from".

~~~
jtmcmc
I mean that's what we developed DMARC for though.

~~~
jedberg
DMARC is a better solution for sure, but it's harder to implement and not as
many receivers support it.

------
mehrdadn
Weirdly enough, I've had this problem with DMARC, not SPF. It occurs on a very
small fraction of emails from more "sensitive" domains, like a fraction of
emails from one or two banks.

In particular, Gmail _completely silently_ drops emails forwarded by hosts
that aren't explicitly authorized by the sender's DMARC policy, which sucks
because it means I can't forward such emails from my _own_ addresses on other
domains to my _own_ Gmail account. I understand this is because the sender's
DMARC policy says that the receiver should hard-reject any mail delivered by
unauthorized middlemen, which seems naively short-sighted given that anyone
can deliver email, and DKIM already lets the receiver verify the authenticity.
(Is this even compliant behavior?)

Does anyone have a reasonable workaround for forwarding to Gmail in such
cases?

~~~
nothrabannosir
I’m afraid I don’t. This was in fact why I stopped hosting a mail server for
friends, way back when. I realised that if most of them put their gmail
address in ~/.forward, any spam they received on their account on my domain,
gmail would count towards my domain / ip instead of the original sender. This
is a fundamental flaw with current email implementations; there is no
equivalent to something like the “trusted downstream proxies” list.[1]

I always wondered why gmail wouldn’t have a (per account) setting to say: “I
am forwarding mail from this host / domain / address”, with corresponding
trust of Received: headers chain. If I could then add a header in forwarded
mails requiring that to be set, somehow, then we could avoid this SPF / DMARC
problem entirely. The fundamentals are there (received: headers and DKIM). All
we need is some last mile config :(

But it would promote decentralisation, so I’m not holding my breath.

[1] random search result of such an implementation:
[https://github.com/tornadoweb/tornado/pull/1864/files](https://github.com/tornadoweb/tornado/pull/1864/files)

~~~
cm2187
But why doing email forwarding. If it is a custom domain, why not simply use
gmail as your MX entries?

~~~
mehrdadn
Confused, how does that work? How would Gmail know which mailbox to put an
email it gets for an address in a different domain?

~~~
cm2187
Gmail like pretty much every other providers offers to manage custom domains.
You point your mx entries to them, you setup the mailbox and aliases on the
google side, and you have a emails in yourdomain.com running using gmail
behind the scene. Just google "gmail custom domain".

~~~
mehrdadn
Oh, so you mean GSuite, not Gmail. That severely restricts your freedom with
the mailboxes and addresses you can have on your own domain.

~~~
judge2020
The e-mail routing in Gsuite is very customizable, the only downside to using
Gsuite (basic) is that it'll put you down $5 a month and if you use email
aliases you can only send from those aliases via gmail.com (or a mail client
that supports them).

------
zlynx
I've been using SPF in my SpamAssassin rules for over 10 years now and it has
only ever been a good thing.

    
    
      score SPF_FAIL 0 0.919 0 0.919

~~~
n3storm
That is not exactly how SPF was meant to use. If it fails email should be
rejected not scored. Disclaimer: I do the same as you.

~~~
nailer
So the developer of SPF (see jedberg above) says it should be used as a
ranking factor, but SPF itself says it should be rejected?

Maybe the issue with SPF is in the messaging around it?

~~~
LambdaComplex
I think that would depend on whether the SPF record indicated soft-fail or
hard-fail, no?

------
RobertRoberts
Without SPF records, automated email notices from my sites to any system like
Gmail, Hotmail, Office, Yahoo, etc... were rejected.

I don't care if it doesn't work, if 90% of every day emails are getting
rejected without SPF, then I setup SPF.

Edit: For serious email delivery these days DKIM is required...

------
INTPenis
I manage some pretty big spam filters for national regions and hospitals and
we need SPF to ward off potential phishing attacks claiming to be from our own
domain.

At the same time I do agree with the author that SPF might be harmful for the
rest of the internet by vouching for e-mail from a certain sender but if
you're relying solely on SPF then you've misconfigured.

------
flurdy
The Problems the article lists are correct still today. SPF should not be used
to single-handedly decide whether to reject mail.

The Alternatives the article lists reflect the date (2005). Domain Keys and
Cisco's alternative merged to become DKIM. DMARC came later.

Today I would suggest for most people to still use SPF but with ? or ~
(tilde), (Neutral or Softfail), and never - (Fail). So it becomes part of the
spam scoring and not decider as there are too many false positives with SPF,
as highlighted in the article.

Combine it with DKIM and at least initially a reporting only DMARC and you are
on your way to a good set up.

SRS turned out to be a disaster. Idea good, implementation with spam bad.

~~~
nasredin
I would suggest using the "-" ("reject")

Life is too short to waste it on spam.

If you can't set up proper SPF/DMARC/DKIM then I don't email me at all.

~~~
flurdy
No, that is the point, and mentioned in the article.

"-"(Reject/Hard Fail) for SPF is broken and should be avoided. SPF only
considers the sender and not the transport and recipient. It does not consider
recipients' forwarding alias rules, backup MXs, multi relay domain setups,
etc. I.e. normal email infrastructure and usage patterns.

I have subset of users that uses Gmail as their client, SPF with "-" from a
random valid sender would not allow me to redirect those emails to Google's
servers.

Also many aliases on my domains forwards to other addresses not on hosted by
my servers (subsidiaries, personal accounts, mailing lists, etc), Spf with "-"
will force the end SMTP server to block those emails as doubtful your SPF
listing has listed my SMTP servers.

And if a recipient domain has a more complex SMTP setup with mutiple SMTP
servers acting as incomming, outgoing, bastions, backups, webmail, sharded
storage, etc then any redirecting between them would again break with a strict
SPF.

As said before use: DKIM, DMARC but make sure SPF is set to not Fail as it is
broken. Use Greylisting, Spamassassin etc to score spam to avoid false
positives that are not obvious rubbish enough to reject on envelope details
alone.

Fastmail has a very good default recommendations:
[https://www.fastmail.com/help/technical/senderauthentication...](https://www.fastmail.com/help/technical/senderauthentication.html)

My own Postfix doc's DKIM section:
[http://flurdy.com/docs/postfix/#ext_dkim](http://flurdy.com/docs/postfix/#ext_dkim)

------
oelmekki
Just to be clear, if we don't implement SPF on our domain names, our mails
will be rejected by gmail, right?

If that's so, this is purely a theoretical discussion (which has its own
merits, of course).

~~~
ceejayoz
I don't believe Gmail rejects automatically for missing SPF records. It may be
a significant hit to the spam score, but it's still technically optional.

~~~
CodeWriter23
My experience is anything less than SPF, DKIM and DMARC results in Gmail
silently dropping messages. Also, HTML mail with inline images similarly
causes Gmail to drop.

And forget about sending from a DO Droplet due to poor IP reputation. A friend
of mine at an ISP confirmed their third party SPAM scoring provider (like
Symantec/ Brightworks) gives them a list of IPs to block at the edge, which
includes large swaths of DO’s IP blocks. Not sure what the story is for other
low-end VPS providers like Linode, etc.

Testing deliverability has become completely absurd. Every ISP and ESP has a
completely different method for mail rejection. And thanks to outsourcing
options for SPAM scoring, is subject to change at a moment’s notice.

This is a glaring omission in all Net Neutrality discussions I’ve seen, the
ability to simply communicate an order acknowledgement to a customer. Even
outsourcing to Mailgun, SendGrid or the like is no silver bullet for this
issue, you’ll still have interruptions in delivery because every day some
spammer gets through their checks and trashes that shared IP you’re sending
from. And probably you’re having unnoticed delivery failures because someone
else reported it / got it fixed. Renting a dedicated IP isn’t really a
solution because you have to send from IPv4 to reach the guy who is still
doing email @hisdomain.com and doesn’t even know IPv6 is a thing. And IPv4
addresses are in short supply.

------
badrabbit
This is a ridiculous article. First off,most orgs have an outbound mail
provider that supports spf. Second, Spf can be setup to softfail (mail gets
delivered anyways).

I have used spf many times to distinguish forged phishing email vs phishing
email originating from a compromised account.

SPF is like most security solutions,its purpose is to reduce risk not
eliminate it. If you really want to go down the rabbit hole of eliminating
risk,your first step should be to not use email at all.

------
janci
It's SRS that is broken, not SPF.

