-----BEGIN PGP SIGNED MESSAGE-----
Jon Grant wrote:
Could you tell me if SPF is widely adopted now?
That depends on your definition of "widely adopted". Current statistics
indicate that about 5 million domains have published SPF records, and that
about 20% of all Internet e-mail traffic is covered by SPF records.
Adoption has been steadily increasing over the past years.
Is my understanding correct, in that if all domains had SPF records set
in the DNS fields this would prevent fraudulent spam.
Not entirely. See the green boxes on
SPF (v1) protects only the envelope sender address, not the "From" or
"Sender" headers. The envelope sender address is not usually displayed by
mail clients, only the "From" and "Sender" headers are. So SPFv1 cannot
protect against forged sender addresses in the message header.
The envelope sender address is not used for informing the end user but only
for the purpose of transporting the message on the internet and sending
delivery error messages. Thus SPFv1 really only protects you against
wrongly addressed delivery error messages.
Microsoft's Sender ID aims to protect the sender address in the message
header, but fails to actually do so for somewhat complicated reasons. The
SPF project is planning on working on another revision of SPF, SPFv3,
starting some time next year, which will hopefully be a more intelligent
successor to SPFv1 than Sender ID is.
But it would still mean that spammers could have accurate SPF records for
their domains and then send spam from those domains?
Yes, by definition. This applies to _any_ domain-based sender policy
scheme, including any potential SPF successors.
I could also see a potential problem where a spammer has a compromised
machine on a Tiscali ADSL connection, he looks up from his list email
domains which can send email from smtp.tiscali.co.uk and inserts
user(_at_)tiscali(_dot_)co(_dot_)uk in the MAIL FROM field. Would that defeat
protection SPF provides?
No. If the domain "tiscali.co.uk" authorizes the compromised system's IP
address to send mail using that domain, then SPF works as advertised. SPF
is not a virus scanner.
The only solution to prevent one Tiscali connected machine sending spam
as any Tiscali customer would be their own email server as far as I can
No domain should ever authorize an ISP's entire IP address range (dial-up
or otherwise). End-user machines are not supposed to send mail to
recipient MTAs directly. Such mail should always be channeled through an
ISP/ESP's or user's dedicated smarthost mail servers, and only those mail
servers should be listed in any domain's SPF record.
I bet Spammers will also start signing their spams now, so they get
though any key checking as well. :(
This is totally besides the point. Signing mail with _any_ key is trivial,
and signing mail just for the sake of it is pointless.
The point is signing mail with a key that is specifically and explicitly
trusted by the receiver. If a mail arriving in my inbox hasn't been
signed by any of the keys _I_know_and_trust_, the signature is meaningless
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
-----END PGP SIGNATURE-----
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
please go to http://v2.listbox.com/member/?list_id=735