SPF Policies

Posted: Apr 2008, Matt | In: Development & Hosting | Leave a comment

We recently discovered an issue with a few of our websites that generate solicited emails. We were finding that emails were being marked as junk, yet our SMTP server wasn't on any blacklists and wasn't an open relay. After a little digging, this is when I learned about Sender Policy Frameworks (SPF).

SPF (Sender Policy Framework) is the industries latest attempt in the fight against spam, in particular, return-path address forgery. Domain owners identify authorised outbound mail servers in their DNS. When an SMTP server receives an email, it can compare the alleged origin of the email against a list of “authorised servers” defined in the SPF records. This helps to distinguish authentic messages from forgeries before any message data is transmitted.

Getting back to our problem, of junked messages, all the affected domains had one thing in common, they all had their own email hosting, remote from our servers. Having discovered SPF, it became clear what was starting to happen to emails originating from our servers. Outbound emails under the guise of our clients’ domains, were being junked by SPF aware SMTP servers, because the domains in question either didn’t have an SPF defined, or our servers weren’t included.

Having found the problem, the only solution was to move with the times and get an SPF attached to our clients domains, and to this end, I found two invaluable tools

http://old.openspf.org/wizard.html - An excellent SPF wizard
http://senderid.espcoalition.org/ - A simple to use testing tool

After a few hours, emails originating from our servers were being warmly welcomed by SPF aware servers everywhere