SPF and Sender ID won’t help fighting email abuse

Email abuse – spam and phishing – is a big problem. There are different methods of fighting those. SPF and Sender ID propose standard of authenticating emails using DNS records: owners of certain email domain will publish information about legitimate email servers for that domain, and recipients (that support SPF/Sender ID) will check that information and mark/reject emails that come from wrong source. For example, if IP address of email server that sends emails for example.com is 10.0.0.25, then there will be the following record in the example.com DNS zone:

example.com.    IN    TXT “v=spf1 ip4:10.0.0.25 -all”

The recipient will check if an email that claims being sent by someone@example.com has originated from 10.0.0.25, and will reject if it hasn’t. That is overly simplified overview, but gives an idea.

Sender ID will fail. There are several reasons for that:


  • It is not clear what is real difference between SPF and Sender ID. Both claim they implement RFC 4406, an experimental Internet standard for email authentication, and its sister RFCs. However, the SPF supporters are trying to distance themselves from Sender ID (read: Microsoft) – without much success (see for yourself), and resulting in added confusion;
  • We cannot detect if certian recipient supports Sender ID or not. Because of that, there is no credible measure of Sender ID adoption or efficiency, which results in a worse case of catch 22: people are waiting on other people to adopt the standard, yet they don’t know how’s that going;
  • Spammers don’t need to spoof source email address. That may add credibility but ultimately spam relies on the “From:” field and recklessness of the users.
There will be more issues – from operational (“Why some of my
emails aregetting lost?”) to conceptual: what is the right way to align
identity with IP address and DNS space? In some ways, DNS is better
than PKI, and definitely can help a lot. For example,(I’d love to see
public keys published in DNS, for example. But SPF and Sender ID attack
the problem of email abuse from a wrong angle. Meanwhile, my desktop
spam filter – SpamBayes – is so accurate that I don’t need and assistance from SPF. I think I know what’s the answer to spam issues.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>