SPF and Sender ID won’t help fighting email abuse

Email abuse – spam and phishing – is a big problem. There are different methods of fighting those. SPF and Sender ID
propose standard of authenticating emails using DNS records: owners of
certain email domain will publish information about legitimate email
servers for that domain, and recipients (that support SPF/Sender ID)
will check that information and mark/reject emails that come from wrong
source. For example, if IP address of email server that sends emails
for example.com is 10.0.0.25, then there will be the following record
in the example.com DNS zone:

example.com.    IN    TXT “v=spf1 ip4:10.0.0.25 -all”

The
recipient will check if an email that claims being sent by
someone@example.com has originated from 10.0.0.25, and will reject if it
hasn’t. That is overly simplified overview, but gives an idea.

Sender ID will fail. There are several reasons for that:

  • It is not clear what is real difference between SPF and Sender ID. Both claim they implement RFC 4406,
    an experimental Internet standard for email authentication, and its
    sister RFCs. However, the SPF supporters are trying to distance
    themselves from Sender ID (read: Microsoft) – without much success (see for yourself), and resulting in added confusion;
  • We
    cannot detect if certian recipient supports Sender ID or not. Because
    of that, there is no credible measure of Sender ID adoption or
    efficiency, which results in a worse case of catch 22: people are
    waiting on other people to adopt the standard, yet they don’t know
    how’s that going;
  • Spammers don’t need to spoof source email address. That may add credibility but ultimately spam relies on the “From:” field and recklessness of the users.

There will be more issues – from operational (“Why some of my
emails aregetting lost?”) to conceptual: what is the right way to align
identity with IP address and DNS space? In some ways, DNS is better
than PKI, and definitely can help a lot. For example,(I’d love to see
public keys published in DNS, for example. But SPF and Sender ID attack
the problem of email abuse from a wrong angle. Meanwhile, my desktop
spam filter – SpamBayes – is so accurate that I don’t need and assistance from SPF. I think I know what’s the answer to spam issues.

Leave a Reply

Your email address will not be published. Required fields are marked *


*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>