My friend Al Iverson just wrote a new blog post.1
One of the things that he said struck a chord with me: “‘But SPF is worthless,’ occasionally a spam fighter will cry.” It struck a chord with me because SPF wasn’t ever really intended to fight spam, per se. While there is perhaps some utility of it to receivers in helping to stem the tide of spam, that’s not SPF’s intention at all. In fact, if you have a look at the original versions of the Introduction page of the OpenSPF website, you’ll see this quote: “The Sender Policy Framework (SPF) is a technical method to prevent sender address forgery.”2
Now, if you do much reading at all, you’ll usually see SPF mentioned as an anti-spam method. But, it’s not that so much because it’s an anti-spam method, but instead it’s an anti-forgery method that can be useful in detecting the types of unauthorized mail that are often “spammy.” And, it’s worth noting that at its beginning, (predating even the OpenSPF website), The Register reporter John Leyden noted that spammers had fully embraced the SPF standard and more spam was being sent that was authenticated by SPF than it was being used to authenticate actual good mail.3
Fortunately, despite several blog posts and much ranting that SPF is harmful and doesn’t solve the spam problem by various hot heads, the standard stuck around. It’s true that SPF doesn’t solve the spam problem, but that’s because that’s not what it’s intended to do. The same thing is true of DKIM, and the more recent DMARC. None of these things are intended to solve the spam problem. They’re intended to allow one domain to assist another domain in determining the legitimacy of an email that has been received, in other words, they’re intended to provide a method to prove the authenticity of an email. To the extent that this is useful in fighting spam, that’s a good thing, but these authentication methods are not intended for that purpose.
Occasionally, we will see something drafted into service to help in a cause that it wasn’t intended to handle. When it works out to our advantage, that’s a good thing. But, we still shouldn’t be surprised that it’s not perfect.
Footnotes
- Al Iverson, SPF Still Matters in 2016, Spam Resource (Mar. 7, 2016), https://www.spamresource.com/2016/03/spf-still-matters-in-2016_7.html (last visited Mar 7, 2016). ↩︎
- Julian Menhle, SPF: Introduction, OpenSPF (2010), https://web.archive.org/web/20160308025314/http://www.openspf.org/Introduction (last visited Mar 8, 2016). ↩︎
- John Leyden, Spammers Embrace Email Authentication, The Register (2004), https://www.theregister.com/2004/09/03/email_authentication_spam/ (last visited Sep 3, 2016). ↩︎
About the Author
Mickey is a Consultant & Attorney with over 28 years of experience in Email Deliverability & Privacy Law. He has a strong background in email authentication infrastructure (SPF, DKIM, DMARC), ISP and mailbox provider relations, anti-spam policy and compliance, CAN-SPAM and state anti-spam law gained through overseeing the Abuse & Compliance team at Salesforce Marketing Cloud, originating the ISP relations role at Informz (now part of Higher Logic), and working in the fight against spam since 1997. He holds a B.A. in Government, a B.S. in Computer Information Systems, and a J.D. from the University of Houston Law Center. He is a certified CIPP/US professional and a certified CIPM professional.
