I’ve seen recent mentions in a few places on the ‘net[1] that {SPF} (Sender Policy Framework) as an anti-spam measure has failed because more Spam companies have correct {SPF} details than non-spammers. I feel that for exactly the same reasons, {SPF} is working, and working well.

Ignoring the merits of {SPF} (for the moment) the concept is simple: for any given email that arrives at an SMTP server, can the From: be trusted ? The whole systems works because although it’s trivial to forge the From: line, it’s much harder to fake DNS entries (although not impossible, but it requires work and illegal impersonations of the owner) so DNS is used to list all of the machines in the world that can legitimately send email with a From: line containing that domain.

Ok, so we can see if the alleged sender is valid, but the content is still open to any sort of ‘abuse’, and this is where the claims of failure have arisen. {SPF} was never intended to stop rubbish content, but it does empower recipients to make much more qualified guesses in their Spam filters. Take hotmail.com domains: all of the email that I have received from hotmail.com addresses for the last 6 months has been spam. Shall I add hotmail.com to my list of banned domains ? No. I have people in my address book that do use hotmail.com, and I certainly don’t want to blacklist them, or delay messages from any other legitimate user. What I can say for sure is that every single one of those emails did not originate from a hotmail.com server. If hotmail.com had {SPF} in place now (they are currently working on it) then I could have acurately scored those incoming mails via {SpamAssassin} as being forged.

Ok, so that much is obvious, but how can a larger user base of Spammers be a good thing for {SPF} ? Simple: if all of my junk mail were (overnight) to be sent from emails that aren’t forged, it’s would take me just a few days to remove virtually all of the rubbish from plain view. I could markdown entire domains, or mark those that appear to be spammer friendly and have less imapct than ever on correct email and all without the hassle of needing to whitelist individuals.

Think about it – if normal (snail) mail arrived with all marketing (from companies you have never bought from) in a red envelope, how much time would it take to ignore it ? That’s what {SPF} is all about.

[1] http://www.infoworld.com/article/04/08/31/HNspammerstudy_1.html
http://www.ciphertrust.com/spf_stats
http://www.boston.com/business/technology/articles/2004/09/04/popular_spam_fighters_effectiveness_questioned/
http://www.theregister.co.uk/2004/09/03/email_authentication_spam/