Thursday, 30 June 2005

How not to use SPF

One of my clients is a big fan of hosted services. They use a hosted wiki, a hosted WebDAV service, hosted email (with IMAP and POP access), and a hosted anti-spam service.

It's the combination of the email and anti-spam services that's caused them some problems recently. Mail from some senders started bouncing. Looking at the headers revealed that someone was rejecting mail because of a "hard" SPF failure. It wasn't immediately clear who was rejecting it, however.

It turned out that the hosted email service had turned on aggressive SPF filtering, so that any message causing a hardfail would be rejected. The sender had specified "-all" in their SPF record, which means, "Hardfail any message which isn't being sent from our servers."

Lessons learned:
  1. If you use a hosted anti-spam service, don't implement SPF on your email system
  2. If you run a hosted anti-spam service or forward mail sor some other reason, consider supporting SRS, which munges the message sender
  3. If you publish SPF records, be cautious about using "-all" at this early stage
  4. If you filter using SPF records, rejecting simply because of an SPF hardfail is aggressive
  5. If you reject in whole or in part because of SPF, say why in the text of the error message. Include a link like this
Tags: , , , .

No comments:

Post a comment