On Tue, 2010-02-23 at 18:33 -0800, Marc Perkel wrote: > > Jeff Koch wrote: > > > > In an effort to reduce spam further we tried implementing SPF > > enforcement. Within three days we turned it off. What we found was that: > > > > - domain owners are allowing SPF records to be added to their zone > > files without understanding the implications or that are just not correct > > - domain owners and their employees regularly send email from > > mailservers that violate their SPF. > > - our customers were unable to receive email from important business > > contacts > > - our customers were unable to understand why we would be enforcing a > > system that prevented > > them from getting important email. > > - our customers couldn't understand what SPF does. > > - our customers could not explain SPF to their business contacts who > > would have had to contact their IT people to correct the SPF records. > > > > Our assessment is that SPF is a good idea but pretty much unworkable > > for an ISP/host without a major education program which we neither > > have the time or money to do. Since we like our customers and they pay > > the bills it is now a dead issue. > > > > Any other experiences? I love to hear. > > > > > > > > Best Regards, > > > > Jeff Koch, Intersessions > > > > I agree. I've been in the spam filtering business for many years and > have yetto find any use for SPF at all. It's disturbing this useless > technology is getting the false positive support we are seeing. > Marc, This is just to repeat the cliche. SPF was not designed to help *you* in *spam filtering*. This was designed to help legitimate senders send mails.
However as much as you, unreasonably , dislike it .. SPF adoption is on the rise.Two years ago most banks in India had no SPF records. Today almost every bank here publishes a SPF record. And that helps. For eg I use SPF checks to whitelist all local banks mail. Conversely, I have a custom rule that says if the header-from contains $popularbank.com and mail did not SPF pass add a score of 3.0. Phishers can use whatever envelope from they want. But if they put the banks domain in the header-from the mail will be caught as spam. I know there are ways to get around this rule too but in practical life this has been real effective against phishing. IMHO most of the anti-SPF bandwagon is more due ego issues than technical. Thanks Ram
