On 9 Jul 2012, at 11:20, Curtis Maurand wrote:
This has probably been asked in the past, but is it worth it to go
through
the contortions to set up SPF?
On the sending side, the simple answer is "YES!"
There is a more complex and nuanced answer. There's a significant amount
of misunderstanding about the benefits SPF actually will yield (not
much, for most sending domains) and about the "contortions" required for
it (again: for most domains a pragmatic SPF setup is trivial.) If you
expect accurate SPF to make everyone always accept your valid mail, you
will be disappointed. If you expect to be able to safely use a "-all"
tail on a record for a domain that is used on legit mail, you stand a
strong chance of disappointment.
As for checking SPF on inbound mail, it has very narrow but potentially
highly valuable uses. The original vision for SPF was that it would make
SMTP envelope forgery more detectable, which is true for domains with
SPF records but unfortunately SPF has a high potential for improperly
identifying forgery. In addition, over the decade+ since SPF got started
a significant subset of spammers have adopted practices that don't
require envelope forgery. Where SPF checking can be useful is for use
with specific domains that are heavily targeted by "phishing" mail, such
as financial service providers and government agencies. This can require
some "contortions" to deploy but if you already have flexible filtering
in place such as SpamAssassin it can be rather simple. If your users get
legit mail from phish-targeted domains you can get positive results by
using SPF to "whitelist" the real stuff while generally treating mail
claiming to be from those domains as suspect. For example, I managed
filtering for a mail system where legit *@citigroup.com email was
business critical but phishers were (at the time) throwing so much
Citi-like junk at us that our adaptive filters would have persistently
scored the legit mail as spam absent the SPF whitelisting. There is also
a niche use of a pure "-all" SPF record that is a declaration that a
domain is never used to send mail, but its value is minimal.
