Women in Technology

Hear us Roar



Article:
  Handicapping New DNS Extensions and Applications
Subject:   SPF is broken
Date:   2007-01-12 15:16:47
From:   elanthis
There's a perfectly good reason to not use SPF. It breaks many, many valid mail setups. For example, any system that does any kind of mail forwarding.


Email is not a direct communication link. Email does not go directly from the sender's SMTP agent to the receiver's SMTP agent. It can, and often does, go through quite a few intermediary hosts. Some of those are internal network hosts which should be exempt from SPF, and some of those could be general "wild 'net" hosts... which also need to be exempt from SPF. Except there's no way to do that last bit.


DomainKeys avoids that problem. DomainKeys was designed with a little bit of a clue as to how the Internet and email/SMTP works. With DomainKeys, it doesn't matter which hosts a message goes through, as it doesn't try to do hostname/IP address validations like SPF. Instead, all it does is guarantee that the message has the correct authorization for the From: address domain.


There are issues with DomainKeys with any service that _alters_ mail, such as many mailing lists, that will cause false negatives like SPF. These, at least, have a possible means of being fixed (most mail list software needs only a slight config tweak to make work with DomainKeys) unlike SPF's issues.


When it comes to mail, guys, you can't just evaluate it form a "good DNS usage" standpoint. Mail also uses SMTP. From an SMTP standpoint, SPF is horrendously broken.

Full Threads Oldest First

Showing messages 1 through 1 of 1.

  • SPF is broken
    2007-05-27 23:23:43  ale2006 [View]

    I cannot figure out what's a "wild 'net" host. Therefore it is absolutely not clear to me why it should be exempt from SPF.

    SMTP provided a Return-Path for bounces assuming users to be polite enough to set it to the real address of the sender. Since spammers are not polite, SPF corrects just that. What's broken?