The other day, someone forged my e-mail address and sent mail to a bunch of other people. (It happens every day.) This time, it hit a network that checked my domain’s SPF records and realized that the message came from an unauthorized server. Then it “helpfully” sent me a message delivery failure notice. I’m sorry someone sent unwanted mail, but we both know that it wasn’t me. What possible use is there in sending me the bounce message? (If you absolutely must send the bounce message, why not take a trick from the spammer, virus, and worm playbook and choose someone else on the Internet randomly? You have a non-zero chance of finding someone who cares about that message — but I don’t.)
Why haven’t all mail server administrators passed the One Question Certifcation Test for E-mail Filter Authors yet?
I think the SPF docs even say this
If you find something delivered from a domain that doesn't pass the SPF check, DROP THE MESSAGE. It's obviously forged, and you don't have any hope of telling anyone about it.
faked bounce messages.
I've been getting a lot of faked bounce messages.
They typically read something like "click here to read the content of your original message" or "read the attached original message".
Well...
Wait until you get a bounce message for something that you actually were trying to send and ask me that again. I've received more useful, genuine bounce messages than annoying, bogus ones.
Well...
You've received legitimate bounce messages for messages you sent that failed the SPF test? I find that hard to believe.
I have secure SMTP running on my server, so I can always send mail through it, no matter where I am. (Okay, if I'm somewhere that blocks outbound mail, I can usually tunnel in to the server anyway.)
I never send mail through another server and my SPF record says that. If a message claiming to be from me fails the SPF test, what possible use is it to bounce the message to me?
"real" SPF bounces
I was actually pleased that I got a bounce message citing an SPF failure... since it alerted me to the fact that the person I was mailing was actually forwarding my mail elsewhere and his forwarding host was not rewriting the headers. At least this way I found out that the mail wasn't reaching him.
SPF really doesn't seem to be solving a real problem at this point. :-/
Suppose you FORGET one day and send mail "from" your own e-mail address, but through an outbound mailserver that is not listed in the SPF for that e-mail address. I feel that the destination mailserver should just refuse the message, not send "back" a bounce message. (Too many destination mailservers don't work that way, but it gets difficult in large ISPs where the inbound server is a farm and re-sends the mail several times in order to sort it.) If the destination mailserver refuses the message, then the problem message stays in the outbound mailserver. But then the outbound mailserver feels obliged to tell you that your mesage was refused -- which it can only do by sending it "back" to "you". It seems like there is no way out -- if the destination mailserver doesn't send a bounce to "you", then the outbound server will send a failure notice to "you" anyway. If either mailserver burns the mail because it assumes you are a spoof, then you'll never know what you did. To fix this problem, what would have to happen is this: when your e-mail client contacts an outbound mailserver, the outbound mailserver has to check the sender's SPF _before_ it accepts the message! If the SPF test fails, then the outbound mailserver can refuse the message so that it will STAY IN THE CLIENT SOFTWARE. (Some outbound solutions are multi-hop before leaving the buuilding; that's okay, the SPF check could be done in the first stage.)
Great idea, Whiner. I would like to see such a thing.