On Tue, Nov 30, 2021 at 11:47:36AM -0700, Philip Prindeville wrote: > I'm looking at the 0.001 scoring for SPF_NONE and scratching my head. This > was discussed a bit in early 2015, but maybe it needs revisiting with new > perspective.
SPF is double edged sword. Sure, when it great to authenticate envelope senders when it works, but: - when used in combination with mailing list, plain message forwarding etc. it will break with false positive, marking (for example) this perfectly valid message of mine as a fake. See https://en.wikipedia.org/wiki/Sender_Policy_Framework#FAIL_and_forwarding This is the reason why you can only really use it for "SPF OK" validation - "SPF FAIL" does not really tell you anything, as it will happen as often for forged senders, as for valid senders. This is why it will often end as "?all" or "~all" and not "-all" (and/or soft DMARC policies) - Also, envelope sender (on which SPF operates) is something completely different thing from header "From:" which is what vast majority of users will see, so it does not provide protection which one might expect. See https://en.wikipedia.org/wiki/Sender_Policy_Framework#Header_limitations And this makes "SPF OK" much less useful then it sounds in theory. - Then there are misconfigurations (hitting limit of max 10 DNS lookups, SPF records which were setup once but not kept up-to-date, etc). Thus, SPF is IMHO not very usable for scoring on its own, but it does have a useful purpose for creating custom SA rules and is often very usable for short circuiting with whitelist_auth. > Surely no one who cares about maintaining their reputation by protecting > themselves against spoofing would fail to provide SPF records... For example, I do not provide it on my few other e-mail accounts by choice (especially most of them which deal with many mailing lists, or with users which use non-SRS e-mail forwarding), as mere existence of SPF there causes much more damage then the potential help it brings. > So how is this score arrived at? That, I am not sure. Perhaps how well it is an indicator on ham/spam corpuses run to determine scores in general in SA? > And of Ham, how much of it has a valid SPF? For my recent hams, I get this: 714 SPF_PASS= 128 SPF_NONE= 67 SPF_NEUTRAL_ALL= 9 SPF_FAIL= 1 SPF_SOFTFAIL= So, about 1 message in 7 hams does not have SPF. > And of Spam, how much of it lacks a valid SPF? For recent spams that reach any kind of mailbox here (eg. not hitting very-safe RBLs, and not having very high SA scores - ie. having at least a minimum of potential for being misclassified non-spam): 2291 SPF_PASS= 667 SPF_SOFTFAIL= 472 SPF_NONE= 353 SPF_FAIL= 154 SPF_NEUTRAL_ALL= 129 SPF_PERMERROR= 53 SPF_NEUTRAL= 17 SPF_TEMPERROR= So, about 1 message in 9 spams does not have SPF. In summary, there does not seem to be big difference between adoption of SPF in spammers as opposed to legitimate users -- Opinions above are GNU-copylefted.
