SPF was never designed to stop spam. Neither was DKIM. Neither was DMARC. The persistent frustration that these standards fail to solve the spam problem reflects a category error, not a flaw in the standards.
Al Iverson made this point obliquely in his recent post “SPF Still Matters in 2016,” noting that spam fighters occasionally dismiss SPF as worthless.1 The dismissal misreads what SPF was built to do. The original OpenSPF introduction is unambiguous: “The Sender Policy Framework (SPF) is a technical method to prevent sender address forgery.”2 Anti-forgery. Not anti-spam.
The conflation has a long history. When SPF was still finding its footing, The Register reported in 2004 that spammers had already fully embraced the standard — more spam was being sent with valid SPF authentication than legitimate mail.3 That fact was treated as a scandal. It was not. It simply confirmed that a domain authentication tool authenticates domains, including domains registered by spammers.
DKIM and DMARC operate on the same principle. All three standards serve a single purpose: to provide one domain with a method to help another domain verify whether a received message is legitimate. To the extent that filtering systems can use that information to make better spam decisions, that is a useful side effect. It is not the point.
Drafting a tool into a fight it was not designed for is common enough, and sometimes it works out. What it does not produce is a perfect result, and the people surprised by that imperfection were measuring against the wrong standard all along.
Footnotes
- Al Iverson, SPF Still Matters in 2016, Spam Resource (Mar. 7, 2016), http://www.spamresource.com/2016/03/spf-still-matters-in-2016.html. ↩︎
- Julian Mehnle, Introduction, OpenSPF (May 9, 2006), http://www.openspf.org/?action=browse&id=Introduction&revision=4. ↩︎
- John Leyden, Spammers Embrace Email Authentication, The Register (Sept. 3, 2004), http://www.theregister.co.uk/2004/09/03/email_authentication_spam/. ↩︎
About the Author
Mickey Chandler is a Consultant & Attorney with over 28 years of experience in Email Deliverability & Privacy Law. He has a strong background in email authentication infrastructure (SPF, DKIM, DMARC), ISP and mailbox provider relations, anti-spam policy and compliance, CAN-SPAM and state anti-spam law gained through overseeing the Abuse & Compliance team at Salesforce Marketing Cloud, originating the ISP relations role at Informz (now part of Higher Logic), and working in the fight against spam since 1997. He holds a B.A. in Government, a B.S. in Computer Information Systems, and a J.D. from the University of Houston Law Center. He is a certified CIPP/US professional and a certified CIPM professional.
