SPF Sender Policy Framework

Sylvain Viart
Added about 4 years ago

Using SPF to trust your email partners.

What is SPF (Sender Policy Framework)

Originally, the Sender Policy Framework (SPF) was designed to avoid sender address spoofing.
The SMTP protocol do not enforce any check on the address that is provided by the sender, allowing anyone to forge and fake it easily. This becomes a huge problem as there is no basic way to clearly identify the real origin of a message. Spammers and phishers massively use this weakness to bypass most basic filters and fool end users.
The idea behind SPF is to provide a mechanism that allows administrators of a domain to specify which servers are allowed to send mail from their domain. With this information being public, any recipient server may check if the messages has been issued by a valid server or not and then refuses spoofed sender address.

Technical implementation

As the list of authorized servers must be publicly and quickly available, the Domain Name System (DNS) protocol is a convenient path for this information. The SPF record is implemented through a TXT record of the domain’s DNS. Using a specific syntax, the list of allowed host can be quite easily published. More information on the technical implementation of SPF record can be found on this page: http://www.openspf.org

How is SPF used by MailCleaner

The basic idea of SPF is great, but unfortunately using this process to filter out spam isn’t that much efficient as long as the vast majority of domains do not have a SPF record. As of today, it appears that no more than 40% of the widely used domain names actually have a valid SPF record. This is still far from the point where it could be used more generally. Also many domains still has wrong record that may cause some delivery problems. Despite the fact the some major e-mail providers are strongly encouraging people to use SPF, the efficiency of it for spam filtering is still not as important as it could (and may probably never be).

In addition to blocking invalid message (which MailCleaner still can do), MailCleaner uses this record to validate good senders and then allow the messages to go through the filter without further checks. This provides a very convenient and easy way to make sure that a valid message from a specific domain, will never get blocked by MailCleaner. In order to avoid spammers to abuse this and create fake domains with valid SPF records, or abuse domains with invalid SPF record, MailCleaner publish a DNS list of all known good domains which have valid SPF definition. All messages from a domain included in this list and issued from a good server will avoid any potential false positive and will be delivered unblocked to the user. This list is populated from all the customers reports and automatically includes their domains as long as they have a valid SPF record. Other domains get through a validation process before being accepted to this list. As more as trusted domains this list contains, and as few potential false positives will happen.

I’m a domain administrator or a MailCleaner customer. What should I do ?

Basically nothing as to be done in order to take advantage of the SPF usage of MailCleaner. It is enabled by default on every MailCleaner.

As a domain administrator, if your domain already has a SPF record, then you could send us a request (to spf@mailcleaner.net) in order to have your domain examined and included in the trusted list. Doing that will ensure that none of your user’s message will ever be blocked by the MailCleaner anti-spam filter. If your domain don’t have a SPF record yet, it is strongly advised you consider adding one. This is an easy and quick operation. The gain will not only be available for MailCleaner, but also for most major e-mail system around the world. Don’t forget to send us a request for inclusion in our trusted list (to spf@mailcleaner.net). You can check you domain SPF record status on this page: SPF Test Tool

As a MailCleaner customer, if you get any false positive, the usual Filter Adjustment Request is the best way to report us the issue. If the domain has a valid SPF record, it will be added to the trusted list and blocking should not appear any more. If you know the domain don’t have any SPF record, you may try to take contact with the sender of the message, or the administrators of the domain and point them to this page: SPF Test Tool