Subscribe

Drafted for the wrong fight

My friend Al Iverson just wrote a new blog post.1

One of the things that he said struck a chord with me: “‘But SPF is worthless,’ occasionally a spam fighter will cry.” It struck a chord with me because SPF wasn’t ever really intended to fight spam, per se. While there is perhaps some utility of it to receivers in helping to stem the tide of spam, that’s not SPF’s intention at all. In fact, if you have a look at the original versions of the Introduction page of the OpenSPF website, you’ll see this quote: “The Sender Policy Framework (SPF) is a technical method to prevent sender address forgery.”2

Now, if you do much reading at all, you’ll usually see SPF mentioned as an anti-spam method. But, it’s not that so much because it’s an anti-spam method, but instead it’s an anti-forgery method that can be useful in detecting the types of unauthorized mail that are often “spammy.” And, it’s worth noting that at its beginning, (predating even the OpenSPF website), The Register reporter John Leyden noted that spammers had fully embraced the SPF standard and more spam was being sent that was authenticated by SPF than it was being used to authenticate actual good mail.3

Fortunately, despite several blog posts and much ranting that SPF is harmful and doesn’t solve the spam problem by various hot heads, the standard stuck around. It’s true that SPF doesn’t solve the spam problem, but that’s because that’s not what it’s intended to do. The same thing is true of DKIM, and the more recent DMARC. None of these things are intended to solve the spam problem. They’re intended to allow one domain to assist another domain in determining the legitimacy of an email that has been received, in other words, they’re intended to provide a method to prove the authenticity of an email. To the extent that this is useful in fighting spam, that’s a good thing, but these authentication methods are not intended for that purpose.

Occasionally, we will see something drafted into service to help in a cause that it wasn’t intended to handle. When it works out to our advantage, that’s a good thing. But, we still shouldn’t be surprised that it’s not perfect.

Footnotes

  1. Al Iverson, SPF Still Matters in 2016, Spam Resource (Mar. 7, 2016), https://www.spamresource.com/2016/03/spf-still-matters-in-2016_7.html (last visited Mar 7, 2016). ↩︎
  2. Julian Menhle, SPF: Introduction, OpenSPF (2010), https://web.archive.org/web/20160308025314/http://www.openspf.org/Introduction (last visited Mar 8, 2016). ↩︎
  3. John Leyden, Spammers Embrace Email Authentication, The Register (2004), https://www.theregister.com/2004/09/03/email_authentication_spam/ (last visited Sep 3, 2016). ↩︎
Picture of Mickey

Mickey

A recognized leader in the fight against online abuse, specializing in email anti-abuse, compliance, deliverability, privacy, and data protection. With over 20 years of experience tackling messaging abuse, I help organizations clean up their networks and maintain a safe, secure environment.