My friend Al Iverson just wrote a new blog post: “SPF Still Matters in 2016”.
One of the things that he said struck a chord with me: “‘But SPF is worthless,’ occasionally a spam fighter will cry.” It struck a chord with me because SPF wasn’t ever really intended to fight spam, per se. While there is perhaps some utility of it to receivers in helping to stem the tide of spam, that’s not SPF’s intention at all. In fact, if you have a look at the original versions of the Introduction page of the OpenSPF website, you’ll see this quote: “The Sender Policy Framework (SPF) is a technical method to prevent sender address forgery.”
Now, if you do much reading at all, you’ll usually see SPF mentioned as an anti-spam method. But, it’s not that so much because it’s an anti-spam method, but instead it’s an anti-forgery method that can be useful in detecting the types of unauthorized mail that are often “spammy.” And, it’s worth noting that at its beginning, (predating even the OpenSPF website), The Register reporter John Leyden noted that spammers had fully embraced the SPF standard and more spam was being sent that was authenticated by SPF than it was being used to authenticate actual good mail.
Fortunately, despite several blog posts and much ranting that SPF is harmful and doesn’t solve the spam problem by various hot heads, the standard stuck around. It’s true that SPF doesn’t solve the spam problem, but that’s because that’s not what it’s intended to do. The same thing is true of DKIM, and the more recent DMARC. None of these things are intended to solve the spam problem. They’re intended to allow one domain to assist another domain in determining the legitimacy of an email that has been received, in other words, they’re intended to provide a method to prove the authenticity of an email. To the extent that this is useful in fighting spam, that’s a good thing, but these authentication methods are not intended for that purpose.
Occasionally, we will see something drafted into service to help in a cause that it wasn’t intended to handle. When it works out to our advantage, that’s a good thing. But, we still shouldn’t be surprised that it’s not perfect.