Sender authentication part 7: Shortcomings of SPF

SPF is a method of authenticating the envelope sender's domain with the IP that transmitted the message to the receiving mail server.  It is quite useful for preventing spoofing but it has its shortcomings:

1. SPF adoption has been slow.

As I alluded to in my previous post, not all domains have published SPF records.  In fact, only a minority have done so.  It's only effective when it's taken advantage of so slow adoption will diminish its usefulness.  Of course, if you don't lock the door of your car and somebody breaks into it, your probably should have locked your door.

2. Legitimate mail can have SPF Hard Fails.

Even though SPF fails are designed (in theory) to hit spammers that are spoofing legitimate domains, we routinely see legitimate mail failing SPF checks.  There are two common occurrences for these; the first is somebody logging in from a remote site and sending mail while attaching their email address as the envelope sender.  Because this remote site has an IP that is not authorized to send mail for the domain, SPF checks fail.  This generates a false positive.  I find it difficult to classify this as a legitimate false positive because it is SPF working as intended, on the other hand, it happens often enough that auto-quarantining messages that fail the SPF check probably is not your best course of action.

The second example is newsletters.  Many organizations outsource their mail campaigns to third party services.  These services send out mass mail to the organization's subscribers and attach their name as the envelope sender.  Of course, these organzations publish SPF records and when the mail servers do the check, the SPF check fails.  Again, this is SPF working as intended.  They could fix this by adding the third party mailer's IP to their SPF records.  The drawback would be that the third-party mailer could conceivably use this to send out spam.

3. Spammers can publish SPF records, too.

This one is especially evil.  Imagine is a spammer registers the domain and publishes its SPF records.  It then transmits emails from that domain which pass the SPF check.  This could really fool end users because the domain looks real enough and the sender is not being spoofed.  Of course, the sender is actually hostile, and openly so.

On the other hand, if a spammer were to do this, we in the spam fighting world could fall back onto one of our older tricks.  We could simply add the domain to a blacklist and reject all mail from that domain.  We could drop the mail after the HELO and SPF check.  So, while a spammer could get mail through, their window of opportunity would be narrow because eventually that domain would get blacklisted.