The Right Way to use SPF

Pat forwarded me a suggestion from a customer today and I
figured I’d discuss it here, since this is a common misconception about SPF…

> I would like to see SPF-enhanced white listing.  If the e-mail
> passes the SPF check, white list the e-mail message and
> continue delivery. If the e-mail message fails the SPF check,
> pass it through the normal SPAM checks and process the e-mail
> message like any other e-mail received.

Many spammers publish SPF records for their domains too, and they send their spam from the mail servers listed in their SPF.  By whitelisting all mail that passes SPF checks, we would be allowing a lot of spam in.  I just did a search of my spam folder and 91 spam emails passed the SPF checks, meaning the spam domain has published SPF records and the spam email was sent from that domain’s legitimate servers.

SPF is not designed for whitelisting. 

Rather, SPF is designed to prevent phishing and other forgeries.  If an email is sent from a server that is not listed in a domain’s SPF record, we can assume it to be a forgery and either tag it as spam or discard it.  This is really the only safe way to use SPF, and this is how we use it currently.

Here are the SPF scores we are using:

score SPF_PASS          -0.001
score SPF_HELO_PASS     -0.001
score SPF_FAIL          8.001
score SPF_SOFTFAIL      4.001
score SPF_HELO_FAIL     5.001
score SPF_HELO_SOFTFAIL 4.001

We tag messages as spam at a score of 6.000 or higher.  Fyi, the -0.001 scores exist only so that we can see in the message headers if email passed the SPF checks.

3 thoughts on “The Right Way to use SPF

  1. Andrew

    I think the customer may not have clearly explained what he had in mind. … I know that spammers frequently employ SPF and I wouldn’t want SPF to be the sole determinant of whether an e-mail is spam or not. What I (err, “the customer” 🙂 ) had in mind was a way to distinguish between legitimate mail sent from our domain to other users in our domain and mail with forged headers sent to people in our domain. I would like to whitelist our domain but I have observed that much spam sent to me has forged headers to look like it is coming from my own e-mail address. Webmail’s Spam DNA Filtering has done a phenomenal job blocking spam but I’d like to whitelist my domain just to be sure no legitmate “internal” mail is flagged as spam.
    Isn’t SPF the ideal way to identify such “internal” mail and let it bypass the spam filtering routines? Is there a part of this I’m missing?

    Reply
  2. Bill Boebel

    So basically “if the sender domain is hosted by Webmail.us and if SPF=pass, then whitelist”… yeah, I think that would be useful. I wasn’t thinking about it that way… Great idea. I will think about how we can create a rule like this.
    Also, we already automatically whitelist all mail that is sent from our servers using SMTP Authentication and mail that is sent from Webmail. You’d only need this sort of whitelisting if your users are sending their mail from a third-party mail server.
    We are looking into adding domain keys as well.

    Reply
  3. Andrew

    Interesting. I did’t know about the automatic whitelisting of SMTP authenticated mail. That would probably cover the majority of cases.
    Keep up the great work, and Merry Christmas!

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *