SPF: Sender Policy Framework

1
SPF Sender Policy Framework

• Deployment Progress and Guidance

2
What was this SPF thing again? (i)

• SPF is path authentication, it ties the senders
  domain to the transport path
• Who is giving me this message, and
• are they really who they say they are?

Its not payload authentication Who wrote
this message, and are they really who they say
they are?
3
What was this SPF thing again? (ii)
4
What was this SPF thing again? (iii)

• SPF can prevent...
• ?HELO forgeryno misleading information in trace
  headers and log files
• ?MAIL FROM forgeryno misdirected bounces (to a
  degree), make virms lives harder,basis for
  domain reputation

• Plus, Sender-ID can also prevent...
• ?PRA forgeryno phishing (to a degree), basis
  for domain reputation

5
What was this SPF thing again? (iv)

• example.com TXT "vspf1 ip4192.0.1.1 a mx -all"

example.com TXT "spf2.0/mfrom,pra ip4192.0.1.1
a mx -all"
6
Problems

• Forwarding breaks SPF, if done incorrectly.Soluti
  ons
• forwarders can do sender rewriting (e.g. SRS).
• receivers can white-list their trusted
  forwarders.Try the http//trusted-forwarder.org
  white-list!
• ?MAIL FROM checking cannot prevent phishing
• ?PRA checking cannot prevent misdirected bounces
• Sometimes, MAIL FROM ? PRA, so generally using
  identical policies for both is dangerous.
• The PRA patent license is unsuitable for
  open-source MTAs.

7
Sender Rewriting (SRS Co.)

• When forwarding mail from an SPF-protected
  domain,
• the forwarder should rewrite the sender address,
• e.g. by using SRS

joe_at_aol.com
anne_at_forwarder.com
SRS0HHHTTaol.comjoe_at_forwarder.com
Biggest problem of SRS the localpart can get
longer than the 64 characters allowed.
8
How to participate in SPF

• Domain ownersPublish SPF records today!Use
  record building wizard at http//spf.pobox.com!

• ReceiversCheck SPF records! Check Sender-ID
  records, too,if you want, but dont use vspf1
  for PRA!
• SPF patches/plug-ins available for many
  MTAsQmail, Sendmail, Postfix, Courier, Exim,
  Exchange
• Sender-ID supported by only a few MTAs yet, most
  notablyExchange 2003 (soon) and Sendmail

9
A short history of SPF
SPF spun off from draft-fecyk-dsprotocol-03
2003
first stable SPF draft, mostly compatible with
today
draft-mengwong-spf-00
draft-mengwong-spf-01
2004
spf-draft-200406
draft-lentczner-spf-00 (MARID)
draft-schlitt-spf-classic-00
draft-schlitt-spf-classic-01
2005
draft-schlitt-spf-classic-02 assumed final,
submitted to the IETF/IESG
10
Adoption by domain owners

• As of 2005-06, roughly 800,000 domains are known
  to be equipped
• with vspf1 records to date, 250,000 of them have
  registered at
• the adoption roll. About 6,800 domains have
  published spf2.0.

11
More about adoption

• Spammers......have been among the fastest to
  publish vspf1 records for their domains. SPF
  doesnt directly prevent spam, it just prevents
  forgery!

• ForwardingA lot of forwarding software
  (mailing lists, etc.)already performs sender
  rewriting in some way, butmuch remains to be
  done, e.g. rewriting support in MTAs for
  alias-/dot-forward-style forwarding.Many
  receivers have chosen to white-list their trusted
  forwarders.

12
Call to action

• Publish SPF records!
• Check SPF records!
• Help fund improvements of implementations!
• Lobby MTA developers to support SPF!
• Help research reputation schemes!
• What types of reputation would you like to use?
• Spread the word!
• http//spf.pobox.com