SPF Records

Barron · 2005-03-31, 12:23 PM

I guess I'm not keeping up like I should, I had to go learn about this.

Are any of the webhosts/sysadmins doing this? Are the SPF records a must have?

My BIND is not setup with SPF. I'd rather not spend all day updating if I dont need to.

Any thoughts on rather this should be done and is it really worth the trouble?

-

cd34 · 2005-03-31, 12:52 PM

I've run it for a while, but, I haven't really seen much of a benefit yet. I tagged all of my domains that would never send mail to fail any SPF request, and have tagged my main email domains with the proper headers. Remember, SPF protects the envelope, not the From:

http://spf.pobox.com/

As for your BIND not set up with SPF, its the matter of inserting a TXT record in each domain with the SPF line for your site.

For inbound, we have tested it and it has caught quite a few forged mails, so, it is gaining popularity. The problem that we ran into was that sometimes, PayPal and EBay's SPF records tend to time out -- presumably due to the includes. It was nice having the email tagged with SPF Fail messages which were pretty simple to filter out.

SenderID is a PRA (Purported Response Address) based system that verifies the validity of the message From: line. There is a link on the SPF site to talk more about that.

Between the two, phishing would be next to impossible.

The idea behind SPF is that you don't need it, but, if you have it, or SPFv2, then you are less likely to be the victim of a spam using your return address. Its going to require a critical mass to become much more useful, but, if everyone waits for the other guys to implement, it'll never reach critical mass.

Barron · 2005-03-31, 03:04 PM

Thanks!

2005-03-31, 12:23 PM	#1
Barron You tried your best and you failed miserably. The lesson is 'never try' Join Date: Oct 2004 Posts: 166	SPF Records I guess I'm not keeping up like I should, I had to go learn about this. Are any of the webhosts/sysadmins doing this? Are the SPF records a must have? My BIND is not setup with SPF. I'd rather not spend all day updating if I dont need to. Any thoughts on rather this should be done and is it really worth the trouble? -

2005-03-31, 12:52 PM	#2
cd34 a.k.a. Sparky Join Date: Sep 2004 Location: West Palm Beach, FL, USA Posts: 2,396	I've run it for a while, but, I haven't really seen much of a benefit yet. I tagged all of my domains that would never send mail to fail any SPF request, and have tagged my main email domains with the proper headers. Remember, SPF protects the envelope, not the From: http://spf.pobox.com/ As for your BIND not set up with SPF, its the matter of inserting a TXT record in each domain with the SPF line for your site. For inbound, we have tested it and it has caught quite a few forged mails, so, it is gaining popularity. The problem that we ran into was that sometimes, PayPal and EBay's SPF records tend to time out -- presumably due to the includes. It was nice having the email tagged with SPF Fail messages which were pretty simple to filter out. SenderID is a PRA (Purported Response Address) based system that verifies the validity of the message From: line. There is a link on the SPF site to talk more about that. Between the two, phishing would be next to impossible. The idea behind SPF is that you don't need it, but, if you have it, or SPFv2, then you are less likely to be the victim of a spam using your return address. Its going to require a critical mass to become much more useful, but, if everyone waits for the other guys to implement, it'll never reach critical mass. __________________ SnapReplay.com a different way to share photos - iPhone & Android

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Display Modes	Rate This Thread
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode	Rate This Thread:

2005-03-31, 03:04 PM	#3
Barron You tried your best and you failed miserably. The lesson is 'never try' Join Date: Oct 2004 Posts: 166	Thanks!