Sender Policy Framework: Encyclopedia II - Sender Policy Framework - Benefits

Sender Policy Framework - Benefits

Normal SMTP allows any computer to send e-mail claiming to be from anyone. Thus, it's easy for spammers to send e-mail from forged addresses. This makes it much more difficult to trace back to where the spam truly comes from, and easy for spammers to appear to be senders the receiver would ordinarily trust. Many believe that the ability for anyone to forge "From" addresses is a security flaw in SMTP, and SPF is one of a variety of new methods being proposed which restricts this ability.

SPF allows the owner of an Internet domain to use special Domain Name System (DNS) records to specify which machines are authorized to transmit e-mail for that domain. For example, the owner of the example.org domain can designate which machines are authorized to send e-mail whose e-mail address ends with "@example.org". Receivers that implement SPF then treat as suspect any e-mail that claims to come from that domain but fails to come from locations that domain authorizes.

SPF protects the use of the 'reverse-path', or the address that the mail claims to come from at the SMTP level; the address to which bounces would be sent if the mail is not delivered. It does not have any relation to the visible "From:" header of the e-mail, which can still be forged when SPF is used. Other schemes attempt to prevent forgery of the visible headers.

SPF makes it more difficult for spammers to send spam, because if they simply forge a reverse-path from a domain that implements SPF with a record containing "-all", receivers that implement SPF will know to ignore the message. SPF only keeps spammers from forging the domain names given in the reverse-paths of an e-mail. If a spammer legitimately has an account in that domain, or owns the domain, they can still send e-mail; however, doing so makes the spam much easier to trace and prosecute, because they must reveal more about their location. It also makes it easier for service providers to drop support. The disclosure of the spammer's true domains makes it much easier to automatically "blacklist" domains that send spam. Spammers can also use computer attacks (such as viruses) to force authorized computers to send e-mail, or use computer attacks against Internet infrastructure (such as corrupting DNS or attacking BGP to subvert entire address blocks) to take control over others' networks. However, such actions are illegal in most countries and are more likely to initiate serious government investigation, and the legal penalties for performing such attacks are often more severe than those for spamming alone.

Another benefit of SPF is to people whose e-mail addresses are being forged as reverse-paths. People with these forged addresses typically receive a large mass of error messages (bounces), making it more difficult to use e-mail normally. If such people use SPF to specify their legitimate senders, the number of error messages may be reduced because receivers implementing SPF will know that the message is forged. Note that SPF has advantages beyond helping identify unwanted e-mail. In particular, if a sender provides SPF information, and the receiver uses it, the receiver has some justification in believing that the e-mail at least came from the domain that it asserts it came from.

If a domain adopts SPF with a record containing "-all", the domain thereby prevents anyone with an address in that domain from sending mail through forwarding schemes that don't change the reverse-path to suit SPF's requirements. Some believe that this breakage of SMTP will pressure these systems to be "upgraded" to meet the new requirements: until they are, SPF may cause valid mail to be rejected if a receiver implementing SPF has failed to account for (and whitelist if needed) all the forwarding aliases they have set up.

Adapted from the Wikipedia article "Benefits", under the G.N U Free Docmentation License. Please also see http://en.wikipedia.org/wiki