If someone implements SPF and didn't understand this, they are fools. SPF doesn't advertise itself as a phishing deterant. It doesn't advertise itself as a spam deterant. It's a joe-job deterant. *THAT's IT*

You can, however, combine SPF with other techniques, such as Sender ID, to get protection from phishing.

Given the failure of Sender ID due to Microsoft's patent stupidity, the SPF creator (Meng Weng Wong) is working on an updated SPF draft (Combined SPF, I believe he called it) which *will* handle phishing.

Namely, the new standard can (optionally) protect any of the envelope sender, the HELO/EHLO SMTP line, the From line, the Sender line, and additional integrate with DomainKeys and other encryption based systems.

The idea is basically to use the existing SPF syntax, maintaing compatability with SPFv1 (SPF Classic) and allowing companies that publish SPF records to just add notes to protect additional parts of the e-mail message.

For example, if you publish DomainKeys information, your SPF record could specify that the SPF checks require the DomainKey check to succeeed; otherwise, the SPF check fails.

Now, if you want to stop spam, guess what - SPF doesn't do anything. Neither does Sender ID. neither does DomainKeys. In fact, *absolutely no* protocol-level scheme can possibly stop spam, because was is spam and what is ham is entirely something that depends on the user. Only the user knows who are good senders and who are bad, and what sorts of message bodies are ham and which are spam.

However, SPF can be *combined* with other techniques to make effective anti-spam technologies. Namely, blacklisting and greylisting.

Say you have a list of registered spammers. We have those now. They don't do any good, however, because spammers spoof domains and use zombie PCs to send their adverts. How does SPF help? It forces the spammers to use their own systems. They can't spoof domains because SPF blocks that. They can't use zombified PCs because they aren't allowed to send e-mail for the domain. The spammers are forced to use their own domain, and forced to use their own mail servers.

Sure, the spammers will register SPF records. *That's even better!* Why? Because now you know for 100% that the e-mail you just got is from the spammer. Compare the various HELO/EHLO, envelope, sender, and from addresses with your blacklist. If it's a spammer, reject it.

SPFv1 on its own is just a mechanism to protect the envelope sender. SPF Combined is a backwards compatible mechanism to protect some or all of the sender addresses on an e-mail. SPF Combined + real-time block lists and white-listing provides protection against phishing, spamming, and so on.

SPF is only a single part of the puzzle. You can't rely on just a drive shaft to move you around, you have to have the whole car. But you need that drive shaft to make the car work.