What is the story about DNS SPF Records?

[dpyers]

Was looking at a couple of domains at dnsreport.com today and noticed highlighting because of a missing SPF record that is supposed to be in place by October 1, 2004.

Apparently SPF = Sender Policy Framework.
It's a DNS record to allow SMTP receivers to verify envelope sender address, and can distinguish legitimate mail from spam before any message data is transmitted

There was a link to http://spf.pobox.com/index.html

How serious is this requirement? - EDIT: couldn't find any RFC related to it.

[admin]

Its not built in to H-Sphere yet. I had talked to matt about it a few times, but have not found an easy way for us to be able to add it.

SPF on OCT 1st will just check to see if the domain is coming from its "real" mail server the one that matchs the MX record and if not you can pass it on to something like SA or another spam filter. It will be a long time before mail servers stop dropping mail because the SPF record is no there.

But once everyone does get it added to there DNS servers it should cut down on a LOT of spam. I would love to add it now so we are ready but have to find the right way to do it in H-Sphere. I wish we could make it an option at least. There has been a post on psofts forum for sometime about this already.

[Curt]

Quote:

Originally Posted by dpyers

How serious is this requirement? - EDIT: couldn't find any RFC related to it.

I get the impression that it's not a requirement, but it certainly sounds like a great idea. Now the question is whether IMail (I believe that's what Vortech's running, but please correct me) will be updated to include support, or if there's another way we might be able to put it in place.

[admin]

Its not a requirement yet for all DNS zones to have this info. I hope they will be able to make it a requirement with in the next 12 to 24 months. It would stop a LOT of spam going around thats for sure..

Think of it as Caller-ID, I think Microsoft wants to change its name from SPF to Sender-ID.. LoL I just read that MS will be setting up MS and hotmail to use SPF here in the next 30 to 60 days as well.

[dpyers]

I imagine the decision to block or pass it along to an RBL check will be up to the web host. Is there any info around indicating that MS will pass incoming Hotmail that fails the SPF test to the spam checker?

Brad, do you forsee any problems for domains on shared IP's using localhost for smtp?

[admin]

Quote:

Originally Posted by dpyers

I imagine the decision to block or pass it along to an RBL check will be up to the web host. Is there any info around indicating that MS will pass incoming Hotmail that fails the SPF test to the spam checker?

A: At first they will not block based on SPF but use to lighten the load on there spam software, if it passes the SPF check it is most likely not spam.

Quote:

Originally Posted by dpyers

Brad, do you forsee any problems for domains on shared IP's using localhost for smtp?

A: Not at first, but once everyone supports SPF it will be best to use the mail server your MX is pointed to for any mail sent. eg. You are on NT30 and you use aspemail or php to send an email. If its sent from NT30 and your MX is mail5.yourdomain.com SPF could think its spam since it did not come from the domains mail server.

At some point if SPF takes off sendmail on everyones web servers and SMTP on windows servers will kind of become useless if I understand how SPF works in the end. To fix that everyone will have to use there "own" mail server to send there mail. If your domain is joe.com and MX is mail5.hsphere.cc when someone fills out a form on joe.com it will have to send that mail using mail5.hsphere.cc. Not hard to fix in most cases..

[sheptech]

So let me get this straight... I'll have to be sure to use my own SMTP server for outbound (mail.whatever.com) even though ISPs all across america are bound & determined to turn off SMTP traffic across their networks...

anyone see a problem here?

Actually, No.

SPF allows you to specify whatever you want, so you can add your ISP to your SPF record. Kinda defeats the purpose those. Use port 2525 to be sure noone spoofs your domain

http://spf.pobox.com/wizard.html

[sheptech]

I had actually replied somewhat tongue-in-cheek about the irony of the work being done to seemingly formalize the use of one's own smtp servers for outbound mail while ISPs are working to restrict smtp traffic... an environment that really is only a problem for folks like us hosting somewhere other than on our own network (corporate or otherwise).

It'd be cooler if the SPF records could be used to specify other networks or subnets that were authorized to access your smtp server for message origination so the ISPs would have something to reference from their filter/firewall systems to distinguish between me trying to send business correspondence and my neighbor's kid sending spam about his tgp site.

It won't matter though because ISPs have more pressure to eliminate smtp traffic completely to avoid having folks set up their own smtp servers locally as well as cut down on virus/trojan apps with built in mail engines. Not to mention it's a heck of a lot easier to filter en entire protocol than it is to mess with application-level filters.

Yay for technology, but I guess I don't really see the point.

yeah, SPF will help prevent spoofing, but it wont solve the spam problem. Spam is spam, with 6$ domains, you can setup a wide open SPF record. Of course, then you can blacklist domains, but they change so fast and are so easy to get as it is now, it won't make much of a difference.

[dpyers]

Isn't Versign also looking to upgrade their dns update schedule later this year from ever 12 hours to every few seconds?

[antic]

Question... my local ISP's SMTP server allows relaying, as long as I authenticate with my account's login & password. So I use Eudora to send email from a number of domains, all with mail.myisp.com as the SMTP server. Convenient and fast.

If I understand correctly, SPF will no longer allow this sort of thing?

[sheptech]

Antic: That sure was the impression I was getting.

Of course there's the small matter of implementing a brand new extension to DNS (traditionally slow to happen, if it doesn't die in committee) not to mention getting all the ISPs to adopt the new technology.

You're looking at years before implementation (can anyone say IPv6?)
Cheers!

Edit: If I could spell, I'd be dangerous.

[sheptech]

Quote:

Originally Posted by dpyers

Isn't Versign also looking to upgrade their dns update schedule later this year from ever 12 hours to every few seconds?

Per Verisign: "On September 8, 2004."
http://www.verisign.com/products-ser...ge_005514.html

[sobocinski]

Quote:

Originally Posted by antic

Question... my local ISP's SMTP server allows relaying, as long as I authenticate with my account's login & password. So I use Eudora to send email from a number of domains, all with mail.myisp.com as the SMTP server. Convenient and fast.

If I understand correctly, SPF will no longer allow this sort of thing?

The way I read it is if you set up your SPF record to include "mail.myisp.com" as an authorized server then you are still golden. Do I have that right?