Forgot your password?
typodupeerror
Microsoft Spam

Microsoft to Deploy SPF for Hotmail Users 562

Posted by michael
from the ever-so-slightly-less-spam dept.
wayne writes "In a show of just how much Microsoft wants to put an end to email forgery, Hotmail, MSN and Microsoft.com will start enforcing Sender ID checks by Oct 1. In late May, MicroSoft announced that they would be adopting the Open Source SPF anti-forgery system (with a slight modification to make it Sender ID) and they have been working together with the IETF MARID working group to help create an RFC to define the Sender ID standard. Already tens of thousands of domain owners, such as AOL, Earthlink, and Gmail, have published SPF records, and thousands of systems are already checking SPF records. Publishing SPF records is easy, as is checking SPF records."
This discussion has been archived. No new comments can be posted.

Microsoft to Deploy SPF for Hotmail Users

Comments Filter:
  • Curious (Score:2, Insightful)

    by gregarican (694358)
    To me this sounds like a positive step. I'm just wondering what the Microsoft haters will post about it to make it sound like a bad thing...
    • Re:Curious (Score:2, Informative)

      by Anonymous Coward
      They'll tell Microsoft burried SPF by requiring post-DATA checks on messages (parsing of RFC 2822 headers), instead of pre-DATA fast MAIL FROM parsing.

      *And* requiring a totally useless XML format, so that every SPF-capable MTA has to incorporate an XML parser.

      (feeling like one of them, strangely... :-)
      • Re:Curious (Score:3, Insightful)

        by gnuman99 (746007)
        *And* requiring a totally useless XML format

        What XML? I don't see any XML in the spf1 records.

        • Re:Curious (Score:3, Interesting)

          by WoodstockJeff (568111)
          I don't see any XML in the spf1 records.

          The reference implementation of the SPF validator includes code to validate using Microsoft CallerID records as well. That means that the XML parser needs to be present on the server.

          • Re:Curious (Score:4, Informative)

            by wayne (1579) <wayne@schlitt.net> on Friday July 23, 2004 @01:54PM (#9781574) Homepage Journal
            The reference implementation of the SPF validator includes code to validate using Microsoft CallerID records as well. That means that the XML parser needs to be present on the server.

            The checking of Caller-ID records in the perl reference implementation has always been optional. I know of only one other SPF implementation that even has Caller-ID support as an option. With the push by Microsoft to use Sender ID (which doesn't use XML) instead of Caller ID (which uses XML), I expect these optional XML checks to be eliminated.

            I ran a study of 1.3 million email domains and found only a couple dozen domains that published Caller ID (XML) records, but not SPF records. (Details of this study were posted to the IETF MARID mailing list.) There simply is no good reason to enable these optional Caller ID checks.

    • Re:Curious (Score:5, Insightful)

      by Neil Watson (60859) on Friday July 23, 2004 @12:52PM (#9780824) Homepage
      It's not that I hate Microsoft. However, I am aware of the company's record of adopting standards and then breaking them. Remember 'embrace and extend'? This could be a step forward for us all. It could also be step back.
      • Re:Curious (Score:3, Insightful)

        by irokitt (663593)
        As heated as the e-mail competition is now, and as frantic as it could get once GMail comes out, Microsoft is not going to be able to strangle things with an off-standard implementation via Hotmail. Hotmail has serious competition from Yahoo and other web-based ilk, particularly since Hotmail still has an inbox size of only 2MB (this despite promises that an upgrade is "coming soon").

        One way Microsoft could push this is if they implement it in Outlook, which has a monopoly where desktop e-mail clients are
      • Re:Curious (Score:4, Insightful)

        by gnuman99 (746007) on Friday July 23, 2004 @01:10PM (#9781058)
        It's not that I hate Microsoft. However, I am aware of the company's record of adopting standards and then breaking them. Remember 'embrace and extend'?

        This does not work if you are a minor player. Microsoft is a minor player in e-mail servers. This is also the reason why Microsoft wants to adopt SPF instead of creating something themselves.

      • Good point. This has certainly happened in the past. The XML standards is one counterexample but there aren't that many of them. I can only hope that they won't "extend" a broken supposed standard and wind up falling short of the mark.
    • Re:Curious (Score:2, Interesting)

      by Al Dimond (792444)
      I can't quite get my head around how this affects me, actually... I'm a student at University of Illinois, I use an @uiuc.edu email address. If I live in an apartment off campus, however, I send my outgoing mail to my ISP's smtp server with my uiuc.edu address as the "from" address, because that's where I prefer to get my e-mail. So will this put my e-mail to SPF-enabled receivers under scrutiny? Or am I OK as long as my ISP is legit according to this system?

      Based on the article, it seems like it would
      • Re:Curious (Score:5, Informative)

        by E-Rock (84950) on Friday July 23, 2004 @12:58PM (#9780911) Homepage
        My understanding is that you should be changing the REPLY-TO not the FROM. Let FROM be where the message is actually from and there's no blocking problem. With the REPLY-TO set, anyone that presses reply goes to your prefered destination.
        • Re:Curious (Score:5, Insightful)

          by LordNimon (85072) on Friday July 23, 2004 @01:16PM (#9781136)
          That's just not going to be acceptable to anyone. The reply-to is only used during a reply. When the recipient first receives the message, he sees what the From: line says, not what the Reply-To: says. When people receive email from me, I want them to see that it's from me, and I want it to be same no matter what server I use.

          Besides, my understanding of SPF is that it doesn't use anything in the email header at all, only what's in the envelope.

        • Re:Curious (Score:3, Interesting)

          by fiftyvolts (642861)

          I know that at certain universities have blocked the residential networks from using other outgoing mail servers to attempt to stop exploited machines from spamming the rest of the world.

          While this is very thoughtful of them it it impossible to accurately use a non university email address. This could cause issues with verifications such as this one.

      • Re:Curious (Score:3, Interesting)

        by Smallpond (221300)
        Lines starting "::" are from uiuc.edu

        telnet uiuic.edu 25
        ::220 tarantula.cso.uiuc.edu ESMTP Sendmail 8.12.11/8.12.11; Fri, 23 Jul 2004 15:23:26 -0500 (CDT)
        HELO crumpet.mine.nu
        ::250 tarantula.cso.uiuc.edu Hello xxx.xxx.xxx.xxx.net [xx.xx.xx.xx], pleased to meet you
        MAIL FROM: bgates@microsoft.com
        ::250 2.1.0 bgates@microsoft.com... Sender ok
        RCPT TO: xxxx@uiuc.edu
        ::250 2.1.5 xxxx@uiuc.edu... Recipient ok
        data
        ::354 Enter mail, end with "." on a line by itself
        TO: happy feet
        FROM: crazy horse
        Do you like to get spam?

    • I refuse to buy a handheld/laptop/desktop with MS software - such is my hate. Nonetheless, this is a great thing:
      - They are going about it the right way (IETF rfc as an open standard, open source system)
      - They have a lot of weight to actually make it happen
      - This is something that should have been done a long time ago.
      If they modified things from other proposals, I don't care. This is just something that simply has to happen!
      So despite coming from microsoft, this is great news.
  • by E1ven (50485) * <e1ven.e1ven@com> on Friday July 23, 2004 @12:44PM (#9780695) Homepage
    Ok.. Let me make sure I understand this correctly..

    I maintain a few domains, such as a Sq7.org [sq7.org], from which I send e-mail.. I send it from home, from my girlfriends house, from wherever I happen to be.. But I send it by connecting through the sq7.org server, and forwarding mail through there.

    The way I understand SPF, I just need to publish that the IP sq7.org runs on is authorized to send Sq7.org's mail, and NOT the IP for my home, office, etc, since I don't send directly from the local computer.

    If I did send directly from the local computer, without going through the external server, I'd need to add my local IP to the SQ7.org DNS records.

    As it is, though, I'll need to avoid using my ISP's SMTP servers if mine go down, or add them to the domain.

    Am I understanding this right?

    -Colin
    • by YetAnotherDave (159442) on Friday July 23, 2004 @12:54PM (#9780855)
      SPF allows you to state a list of servers which are qualified to send.

      So you could add your server + your ISP's servers, so your fallback would still be within your SPF record
    • by mshultz (632780) on Friday July 23, 2004 @12:56PM (#9780887)

      Yeah, I was wondering about this too--- particularly how this is going to work with things like universities. Where I just graduated from, you're only allowed to use their SMTP server if you are either on campus, use the VPN, or are using authentication over SSL from wherever. For everyone off campus, you are expected to use your ISP's SMTP server.... and often, you'd have to anyway, with ISP's blocking outgoing port 25 these days. So how then would a university, for example, implement SPF with people using whatever.edu 'From' addresses, but going through thousands of different ISP-owned SMTP servers?

      Surely there's a better solution than to have people change their 'From' address based on who's providing their internet connection at that moment (a real challenge for wireless hotspot users.....), and just keep the Reply-To header constant.

      Maybe I understand this wrong-- just wondering how it's all going to work.

      • by WuphonsReach (684551) on Friday July 23, 2004 @02:53PM (#9782245)
        Yeah, I was wondering about this too--- particularly how this is going to work with things like universities. Where I just graduated from, you're only allowed to use their SMTP server if you are either on campus, use the VPN, or are using authentication over SSL from wherever. For everyone off campus, you are expected to use your ISP's SMTP server.... and often, you'd have to anyway, with ISP's blocking outgoing port 25 these days. So how then would a university, for example, implement SPF with people using whatever.edu 'From' addresses, but going through thousands of different ISP-owned SMTP servers?

        First off, unless your desktop machine is running a full SMTP daemon (e.g. sendmail / postfix / exchange / etc.) you're not supposed to be talking to other SMTP servers on port 25. The fact that you've been allowed to do so is laziness on pretty much everyone's part. Client machines should be talking to their SMTP server in an authenticated manner using one of the ports like tcp/465 and the like. Which is not a port that ISPs are blocking.

        Secondly, if you want to send e-mail from a particular domain, that domain is perfectly within it's legal rights to say "you must use our authorized outbound mail servers". Which is what happens when they publish SPF-type information. Right now, using the MX records, a domain can specify what machines are authorized to accept incoming mail for that domain. (You wouldn't route mail for domainA.com to domainB.com's mail server and expect it to be delivered, right? Unless domainA's MX record specifically says that domainB.com's mail servers will handle that e-mail.) SPF information is simply the mirror image of the MX record (more or less).

        Third, if we allow you to forge our domain on your e-mail and send it willy-nilly from any hotspot or mail server on the planet... well, that means that any spammer or worm can also forge our domain onto their mailings. This is extremely frustrating to a mail admin who has to deal with hundreds and thousands of mis-directed bounces from forged e-mail. The only solution is to stop domain forging from being allowed on the network. At least with SPF-type solutions, it's up to the owner of the domain to choose to publish SPF-type information and how strict they want it to be.

        In short, if you want to send e-mail from domainX who publishes SPF information, you will need to abide by the rules that domainX has chosen to publish. Most likely this will require you to either VPN into their network or use an authenticated SMTP session to route mail through their mail server.

        If you don't agree with domainX's rules, you are perfectly free to setup your own domain and publish your own SPF records (or not publish any).

        Heck, AOL already does SPF on an ad-hoc basis, where you have to register for a whitelist if your domain sends more then a handful of e-mails to their users per some time period. At least with SPF, I can publish a single record for my domains rather then having to register with every Tom, Dick, Harry, and Jane ISP on the planet.

    • That sounds right to me. I think I need to do the same for my domain,

      This will be ticky for some family members that I provide (inbound) forwarding service for. In fact, I wonder how this will work for pobox.com forwarding accounts? Will they need to provide outbound SMTP service as well?

      How about all the folks that use forwarding addresses like @alumni.myschool.edu? Or @computer.org?

      • How about all the folks that use forwarding addresses like @alumni.myschool.edu? Or @computer.org?

        I think the primary purpose of @alumni addresses is to provide an "eternal" address for *receiving* mail rather than sending it. An individual would advertise their @alumni address in various places such as in their .sig file and maybe use it on a Reply-To: line but not on the From: line.
    • by autopr0n (534291)
      You are correct. Although, you could add those other IPs if you wanted to, and send directly from those machines.
  • No posts =( (Score:4, Funny)

    by Bwerf (106435) on Friday July 23, 2004 @12:44PM (#9780703)
    Damn, now I have to read the article.
  • by peculiarmethod (301094) on Friday July 23, 2004 @12:44PM (#9780705) Journal
    Wait a second. Microsoft is willingly employing open source market software? (looks at calendar).. hmm.. it's not early april. It's either armageddon, or old dogs can be taught new tricks!

    pm
  • Great (Score:4, Insightful)

    by bnewendorp (764839) on Friday July 23, 2004 @12:44PM (#9780712)
    Let's hope this method of reducing spam will work. I have noticed that less spam I receive comes from Hotmail, Yahoo, etc. type e-mails, but hopefully this will help more. I am curious just how much work is involved in publishing these lists, and more importantly, how often are they updated? If they don't get real time or near-real time updates, they aren't going to be very useful.
  • by Joey Patterson (547891) on Friday July 23, 2004 @12:46PM (#9780740)
    Microsoft to Deploy SPF for Hotmail Users

    So, now that Microsoft already dominates the OS and free e-mail markets, it's trying to get into the sunscreen market as well?

    I don't know which is worse, the cure or the disease.
  • by Linuxthess (529239) on Friday July 23, 2004 @12:47PM (#9780751) Journal
    The SPF's website says,
    "Have confidence that mail that SAYS it's coming from your bank, your credit card company, or the government really is!"

    The problem arises though when the phisher/spammer uses a domain which is fairly similar to your bank or credit cards website, for example www.XYZCapitol.com instead of www.XYZCapital.com.

    • Even that is less serious than it once was. At least you have a high degree of certainty that it originated from www.XYZCapitol.com, which gives you a lead on tracing the true source of the phish.
  • by pio!pio! (170895) on Friday July 23, 2004 @12:48PM (#9780756) Journal
    Next year MSFT will release SPF15 for those needing additional protection. SPF 30 and 45 to follow for those extremely pale nerds who never go in the sun
  • by bheer (633842) <.moc.liamg. .ta. .reehbr.> on Friday July 23, 2004 @12:51PM (#9780794)
    Is there a easy guide to deploying SPF on Windows 2000's DNS Service? Something that I can give the MCSEs who run our IS team and get their attention would be appreciated.
  • *hot*mail. I'll start using SPF-90 sunscreen while handling hotmail.
  • Okay, all I know is that SPF is a good deal simpler than SenderID and much more popular, due to the simple text format verses the use of XML.

    However can somebody please clearly explain what (if any) differences there are between what they do. I mean after the data is decoded, is one of the superior to the other, or a superset of the other? Or are they totally independent checks, or are they slightly intersecting checks?

    Honestly I can say I am extremely happy to see Microsoft adopting a standard that was n
  • Easy? (Score:4, Interesting)

    by Compholio (770966) on Friday July 23, 2004 @12:52PM (#9780815)
    Publishing SPF records is easy, as is checking SPF records."

    Only if you can edit your own DNS records, most management tools only allow modification of A, MX, and CNAME records. For this to really take off the tools need to add support for TXT records.
    • Re:Easy? (Score:4, Informative)

      by Rich0 (548339) on Friday July 23, 2004 @01:00PM (#9780933) Homepage
      And currently most free dynamic DNS services do not support it.

      This of course means that my outgoing mail will probably get spam filtered in the near future unless this changes.
    • Re:Easy? (Score:3, Funny)

      by theantix (466036)
      I've found vim to be a good management tool that supports the adding of TXT records. If are willing to accept an inferior tool, emacs or nano would also probably work for editing TXT records, though I haven't verified that personally.
  • by mabu (178417) * on Friday July 23, 2004 @12:52PM (#9780822)
    Generally, I like this idea, especially from the perspective of controlling misdirected bounces.

    Where it seems to be a problem though (someone correct me if I'm wrong), is in a case where someone, for example is doing web hosting and controls a domain, and the customer wants to configure his e-mail client to send mail "from" the domain through a local ISP. The way SPF works, the authorized hosts from which mail with that domain in the header must be defined in the DNS records. This means that if the hosting company isn't the customer's ISP or mail relay, he needs to keep track of what mail relays the customers use. If a customer changes ISPs and doesn't have the DNS info updated, then their mail may suddenly be rejected by SPF servers?

    This seems to be good for ISPs and services like Hotmail and gMail, which endeavor to have exclusive control of incoming and outgoing mail under their domains, but for smaller ISPs or scenarios where one person may be managing the domain, with the customer using a local ISP/mail relay, it seems to be a big pain in the butt.
    • If you control the domain that your email is from, then you simply need to change the DNS settings for that domain to add the proper SPF record.

      Basically it's like this.. You have a domain like example.com. You send email from bob@example.com. But you want to send email through some other SMTP server, call it smtp.com, for whatever reason, and keep the From: line as bob@example.com. Since you control the domain, all you need to do is to change the DNS settings for your domain to add SPF records that say "s
  • MSN Broke My Email (Score:5, Interesting)

    by stoolpigeon (454276) <bittercode@gmail> on Friday July 23, 2004 @12:52PM (#9780825) Homepage Journal
    They are making all kinds of changes lately-- and they are not bothering to send anything to their users. I've been an MSN customer since just after they started up the service. Last week Outlook couldn't pull my email from their pop3 server any more. I sent in a help ticket. The reply I got said it was a problem they were fixing- and gave me instructions to set up Outlook Express to pull web mail from an http server.

    I responded that I don't use Outlook Express, I use Outlook 2000 and it will only pull Email from pop or imap servers. Their response, upgrade to Outlook 2002 (or above) or just use the hotmail interface. Of course using hotmail means no more hot syncing to my palm and I have to start manually sifting through spam again (my filter I use is an Outlook plug in)

    I had been thinking about changing my ISP but now I don't even have a choice.

    What ticks me off most is there was no advance notice of these changes- and it took multiple emails to MSN support to find out what was really going on.

    • by Kenja (541830)
      "I've been an MSN customer since just after they started up the service."

      Customer or user? Customers pay for a service and expect a level of support for their dollar. Most pople who have Hotmail acounts are just users, who pay nothing and should not expect anything back.

      • Customer - I'm talking about MSN not hotmail. (in other words the account address I'm talking about is 'foo@msn.com' not 'foo@hotmail.com') But they are now telling me that if I don't upgrade (buy) a newer version of Outlook, I can only get to my mail through the hotmail interface.

        I have been a paying customer of the MSN dial-up service for quite a few years- long before hotmail existed.

  • by Sheetrock (152993) on Friday July 23, 2004 @12:52PM (#9780829) Homepage Journal
    Part of the secret to the success of the Internet is in allowing unfettered communication between endpoints. While I am to some degree concerned about the technical approach to solving the spam problem, because of the collateral consequences it may have, it does not raise the spectre of 1st Amendment violation that anti-spam legislation does.

    That Microsoft is taking part is to their credit. Finally the Internet at large is going to actually try to apply a solution to spam at the source. Although the unsolicited commercial email problem is largely one of perception (as with violent computer games, smoking in public, or 'indecent' radio broadcasting) perhaps the solution will have less of a negative impact on society. One can only hope.

    • In what sense is Microsoft's adoption of SPF "proof that technology works" for stopping spam?

      First off, it hasn't happened yet. Nothing has been proven to work here, since they haven't actually done anything yet.

      Second, SPF doesn't stop spam in the long run. SPF does not even address the problem of spam per se -- it addresses email forgery, and that not very well. In the unlikely event that every email system everywhere implemented SPF restrictions, spammers would still be able to send spam. They simply

  • by Paul Carver (4555) on Friday July 23, 2004 @12:53PM (#9780839)
    I have a couple of domains registered and pointed at a cheap shared host. I generally send mail using either Mutt over ssh or Mozilla via several different SMTP servers (cablem modem ISP, web host ISP, work SMTP server) and I routinely edit my from address to use whatever userid and whichever of my domains is relevant.

    I guess this change means that hotmail users won't be able to receive mail from me unless I read up on SPF and figure out how to get the appropriate configurations into my bargain basement DNS and hosting configs. I hope this doesn't require any administrative privliges since I don't run my own DNS or mail servers for my domains. You can't do that sort of thing for less than $20/month.
  • by frankie (91710) on Friday July 23, 2004 @12:54PM (#9780861) Journal
    Just yesterday I got multiple "Delivery Status Notification (Failure)" messages from postmaster@mail.hotmail.com, informing me that stupid spams could not be delivered. The headers show they were sent from 62.231.179.13 (in Novokuznetsk Russia) and claimed to be from my employer's domain (in eastern USA).

    Now if only our anti-spam group would add SPF records. They're deep in the Redmond camp, so the phrase "Microsoft is doing it" should convince them.

  • This is nice (Score:3, Insightful)

    by fluor2 (242824) on Friday July 23, 2004 @12:55PM (#9780871)
    This is very nice comparing to what others do: nothing.

    The SMTP protocol have sucked for ages, and we applaud any action taken to improve it.
  • It was just yesterday I think, that someone on here was saying that it would take MS, Yahoo, or AOL to start using SPF to drag the rest of the world onto it. I have looked at it, but I haven't started using it. Once a few sites start rejecting me for not using it, I guess I'll have to add the records. There was a wizard somewhere for generating the SPF records you would need for your domain. Time to look it up, I think.
  • by kawika (87069) on Friday July 23, 2004 @12:59PM (#9780929)
    Okay, now we can verify that a mail server that says it is someserver.com is really someserver.com. Back when the big problem was open SMTP relays that sure would have been helpful.

    But now that the problem is spam zombies on millions of user PCs, how will this put a dent in the problem? Sure they won't be able to connect directly to Hotmail to say they're someserver.com, but it won't stop them from sending spam through their own ISP's mail server. Since the key to spam zombies is having a lot of PCs that send relatively few spams per PC, it will be very difficult for each ISP to track down and stop each zombie.
    • If someserver.com sets up a SPF record saying that mail.someserver.com is the only host allowed to send mail using that domain, then zombies won't be able to send any messages using that domain as their IP address will not match what is specified in the SPF record.

  • Yes, but (Score:3, Funny)

    by Anonymous Coward on Friday July 23, 2004 @01:02PM (#9780949)
    Will it be SPF 15 or SPF 30?
  • by herrvinny (698679) on Friday July 23, 2004 @01:03PM (#9780964)
    But they were registered using GoDaddy, with Hostway nameservers. For this to really get off the ground, the regular hosting companies have to support it as well. The only registrar that offers spf is (that I'm aware of) PairNIC [pairnic.com]
    .
  • What scares me is that this could be the first step to controlling email via certain companies.

    What if BIG CORPORATION A decides to sell its assets running the SPF machines to BIG CORPORATION B and BIG CORPORATION B combines As and Bs machines. Eventually one BIG CORPORATION will own all the SPF machines or a very large portion there-of. Then what?

    What about all the little upstarts who don't want to be bothered with figuring out SPF or understanding people's desire to use it? What if a time sensitive e
  • I have a couple domains that I host myself, but those don't even have MX records, and I never use them for email.

    On the other hand, the first domains I purchased were with register.com. As far as I can tell, there is no way to include SPF records using their web forms. In theory I could use my own DNS servers, but theirs are obviously more reliable :).

    In my view, for this to take off, hosted DNS providers really need to get behind it.
  • by mabu (178417) * on Friday July 23, 2004 @01:08PM (#9781027)
    I am unconvinced this scheme will make much of a difference in the spam epidemic.

    If anything, the SPF idea primarily favors the big ISPs and consolidated mail services. Microsoft and others aren't doing the industry a favor at all by adopting this standard. It clearly benefits them more than it does small and medium-sized Internet hosts. I am under the impression that for any Internet operation that doesn't control all the inbound and outbound mail for domains they manage will have a much higher administrative burden than the big guys. So this scheme makes sense for large ISPs and costs more time and money for smaller ones.

    And ultimately, it would only stop spam if every system on the planet adopted it. Otherwise a spammer will simply operate from a host that isn't SPF-compliant. Until the lion's share of systems adopt SPF, no ISP can afford to arbitrarily reject non-compliant systems.

    This scheme seems to heavily favor the "all-in-one" Internet companies, who manage both sending and receiving. If you're having one company manage your domain and using a local ISP for SMTP, then you run into problems. As an owner of a hosting company, if this scheme were adopted, I'd probably get several phone calls a day from customers freaking out that their mail bounced, and even if I had an automated system where they could specify authorized smtp hosts, I'd still have to waste a bunch of time explaining to them that if they configure their local client to be "from" their domain, and they change ISPs, they need to update these records as well.

    Ultimately, this is bad. It makes the largest ISPs, who can afford to offer SMTP and all other services, easier to work with, and the smaller guys have more of an administrative overhead to keep up with DNS management.
  • I send mail from my home server through my ISP as a smarthost. DNS is managed by another company (easyDNS). I assume that I would have to have my DNS provider enter the SPF information, since I don't manage it myself. Do most DNS providers allow the user to enter data like this in the TXT record?
  • Can the pebbles still vote, or has the avalanche has already started?

    -- less is better.
  • by pavera (320634) on Friday July 23, 2004 @01:11PM (#9781075) Homepage Journal
    SPF requires that you know every mail server that will ever relay mail for your domain. This is unknowable. I manage 40 domains, people using these domains for email regularly travel to branch offices where they change their outgoing smtp server to whatever server is local to that office... I'm talking about a rotating list of around 1000 smtp servers that have to be on all 40 of these domains... That is the most unmanagable hack I've ever seen. This is not one company I manage small domains for contractors that need to be able to have 1 email address, but that are constantly moving to different physical locations, and using many smtp servers. Furthermore, VPN is not a solution as most of the time they are on heavily firewalled and NATed networks where VPN does not work reliably. Also, I work for a small ISP and many of our users use our outgoing smtp server to relay mail for their work accounts that don't have VPN set up for them. All of this email will now be summarily rejected.... whoever came up with SPF is an idiot, thanks for breaking email, this is the death of it.
    • No, it's just not a solution for everyone.

      If you don't publish SPF records, nothing changes. Mailservers are unlikely to reject mail from domains that don't have SPF records for a long time, maybe ever, depending on how broadly used it is.

      If you do publish SPF records, you can indicate whether or not your the record describes all hosts that can send mail for your domain. Adding ~all means:

      SPF queries that do not match any other mechanism will return "softfail". Messages that are not sent from an appro

  • no need to panic (Score:4, Informative)

    by the quick brown fox (681969) on Friday July 23, 2004 @01:13PM (#9781101)
    From the article: Messages that fail the check will not be rejected, but will be further scrutinized and filtered
  • gmail uses SPF (Score:4, Informative)

    by autopr0n (534291) on Friday July 23, 2004 @01:15PM (#9781120) Homepage Journal
    for the record:
    C:\>nslookup
    Default Server: firewall.lab.cs.iastate.edu
    Address: 192.168.1.254

    > set type=txt
    > gmail.com
    Server: firewall.lab.cs.iastate.edu
    Address: 192.168.1.254

    Non-authoritative answer:
    gmail.com text =

    "v=spf1 a:mproxy.gmail.com a:rproxy.gmail.com -all"

    gmail.com nameserver = ns4.google.com
    gmail.com nameserver = ns1.google.com
    gmail.com nameserver = ns2.google.com
    gmail.com nameserver = ns3.google.com
    • Re:gmail uses SPF (Score:3, Interesting)

      by DA-MAN (17442)
      More surprisingly, hotmail does not.

      r2d2$ host -t txt aol.com
      aol.com text "v=spf1 ip4:152.163.225.0/24 ip4:205.188.139.0/24 ip4:205.188.144.0/24 ip4:205.188.156.0/23 ip4:205.188.159.0/24 ip4:64.12.136.0/23 ip4:64.12.138.0/24 ptr:mx.aol.com ?all"
      r2d2$
      r2d2$ host -t txt hotmail.com
      r2d2$

      Looks like hotmail needs to practice what they preach.
  • by microcars (708223) on Friday July 23, 2004 @01:17PM (#9781138) Homepage
    I have several domains,
    lets say one is:
    example.com

    I currently use Eudora to send email from my primary ISP (earthlink) , but if I want the mail to "appear" as though it is coming from
    me@example.com
    all I have to do is create a "personality" in Eudora. I use Earthlink's smtp and the only thing I see in the headers is this:

    X-Sender: me@example.com (Unverified)
    Date: Fri, 23 Jul 2004 12:08:28 -0500
    To: user@earthlink.net
    From: Microcars (me@example.com)
    Subject: test

    there is just this (Unverified) line in the X-Sender line, does this mean I will no longer be able to use this function of Eudora?

    I can set up POP mail accounts for these domains, but I have to use the WEBMAIL feature of my domain's host because Earthlink blocks port 25 and will not allow me to use another SMTP server (can't use .Mac at home either because of this)

  • by looper_man (452635) on Friday July 23, 2004 @01:17PM (#9781140)
    I use a forwarding address from my alma-mater as my main personal email address (me@alumni.XXX.edu). They offer a webmail interface, but it sucks eggs. So I subscribe to Yahoo Mail Plus which allows me to send mail "from" any of my accounts (they verify the account before letting me do this), and I can also consolidate several accounts there in one nice interface. When I send email from Yahoo "from" my alumni.XXX.edu address, it comes from Yahoo's outgoing server, and the SPF record from alumni.XXX.edu wouldn't match (if it's there at all).

    Is there any mechanism in SPF (or Sender ID) for this email setup?
  • Missing the point (Score:5, Informative)

    by eadz (412417) on Friday July 23, 2004 @01:22PM (#9781201) Homepage
    A great opt in solution... .. If you don't have SPF records in your DNS, it doesn't mean Hotmail won't accept your mail.

    If you DO have SPF record for your domain, and the message wasn't sent from one of the specified IP addresses, then Hotmail may block your message.

    But the real kicker is when you recieve a message from someone@hotmail.com. If the IP address used to send the message isn't listed in hotmail's SPF TXT DNS record then you know it's not a message sent from hotmail. And same for Gmail :

    dig -t txt gmail.com
    gmail.com. 300 IN TXT "v=spf1 a:mproxy.gmail.com a:rproxy.gmail.com -all"

    Which means that the only servers authorized to send mail from @gmail.com are mproxy and rproxy.gmail.com
  • Universities? (Score:3, Insightful)

    by LittleStone (18310) on Friday July 23, 2004 @01:30PM (#9781296) Homepage Journal
    I have the impression that SPF is going to create a lot of problems to universities.

    A couple universities I've been to do not allow external SMTP connections. Users need to use their ISPs' SMTP server to send email. I couldn't find how the SPF can accomodate this practice without significant change: either the university allows authenticated external SMTP connections or ISP provides another authenticated SMTP server for these users (to user whatever address they want).
  • Port 25 blocked (Score:3, Interesting)

    by funk_phenomenon (162242) on Friday July 23, 2004 @01:45PM (#9781486)
    What about in the situation I have where I have to use my ISP SMTP server to send ALL the mail I wish to send since they disallow access to port 25 for all servers other than their mail server (ie send a person@yahoo.com email through my isp.com SMTP server)? Since I'm tied to this scheme, apart from using a web interface, will SPF work in this situation?
  • by mcrbids (148650) on Friday July 23, 2004 @01:55PM (#9781580) Journal
    It's amazingly easy. There's a little wizard here [pobox.com] you can use to set up your DNS.

    I did this for my domains in about 5 minutes.

  • by dekeji (784080) on Saturday July 24, 2004 @12:56AM (#9787169)
    Well, my mail provider deployed SPF quietly and the result was a few months of occasionall dropped mails: mail forwarding from one low-volume but important domain didn't work. When I looked into how that could happen, it seemed like SPF was working the way it was supposed to, it was just that unless the whole world switched to it, this sort of thing was bound to happen.

    Since my spam filters are working pretty well, I concluded it was better to live without SPF and let the spam filters deal with the extra junk than to lose mail because of SPF's limitations.

If Machiavelli were a hacker, he'd have worked for the CSSG. -- Phil Lapsley

Working...