SPF record

Faehl, Chris cfaehl at rightnow.com
Mon Nov 3 23:32:54 UTC 2008 

I believe this topic is rapidly in danger of becoming off-topic - but SPF and DomainKeys/ DKIM both indeed do say that "spammer is authorized to spam from that domain" - at which point, reputation services can be employed to (more) accurately characterize the types of email being delivered from that domain. Both email authentication technologies have their best effect against (as mentioned many times now) forged email, and won't do much to stem spam "legitimately" originating from the big free email providers. 

Adoption rate of both SPF and DomainKeys/DKIM is not encouraging; from an internal survey of 10,615 unique domains of email received in one day, I derived the following information:
- 2803 (26%) domains had SPF records
- 114 (1%) had SenderId records
- 207 (2%) had DomainKeys/DKIM policy records - policy records for DKIM are still nascent, so the
actual adoption of DomainKeys/DKIM is likely higher. I did not survey actual DKIM-signed email.

Of those domains that at least attempt sending email authentication as above, the actual adoption rate of "hard fail" policies for both SPF and DomainKeys/DKIM was poor. Even yahoo.com publishes a DomainKeys policy record of "testing" (t=y) and "advisory or passive fail" (o=~). 

Chris Faehl

-----Original Message-----
From: bind-users-bounce at isc.org [mailto:bind-users-bounce at isc.org] On Behalf Of Res
Sent: Monday, November 03, 2008 4:08 PM
To: Byung-Hee HWANG
Cc: bind-users at isc.org
Subject: Re: SPF record

On Tue, 4 Nov 2008, Byung-Hee HWANG wrote:

> Yep, i agree with spam reduction. However, i was telling you the method
> has a risk. You guy need to consider again why the SPF [RFC4408]
> remained as Experimental RFC instead of Standards Track at IETF.

Yes, we know its experimental at this stage, but the fact it works well 
for 99% of ISP's and companies means it is more than worth the risk.
>
>>> Recently i'm going with DKIM [RFC4871] as an alternative technique to
>>> reduce spam and phishing. DKIM is more reasonable, smooth, exact than
>>
>> DKIM is a joke, is it yahoo or gmail or maybe both? use that, and look
>> at all the spam that comes from them.
>
> Well, i believe that over the long term, DKIM is win. It means that
> peoples adopt reasonable things, at last ;;

How can it win? all it does is confirm the spammer is authorised to spam 
from that domain :).. just look at the mess google is responsible for but 
as I said each to our own.


-- 
Res

If you are not part of the solution, then you are part of the problem!

More information about the bind-users mailing list