ONJava.com -- The Independent Source for Enterprise Java
oreilly.comSafari Books Online.Conferences.

advertisement

AddThis Social Bookmark Button
Article:
  Handicapping New DNS Extensions and Applications
Subject:   SPF is broken
Date:   2007-01-12 15:16:47
From:   elanthis
There's a perfectly good reason to not use SPF. It breaks many, many valid mail setups. For example, any system that does any kind of mail forwarding.


Email is not a direct communication link. Email does not go directly from the sender's SMTP agent to the receiver's SMTP agent. It can, and often does, go through quite a few intermediary hosts. Some of those are internal network hosts which should be exempt from SPF, and some of those could be general "wild 'net" hosts... which also need to be exempt from SPF. Except there's no way to do that last bit.


DomainKeys avoids that problem. DomainKeys was designed with a little bit of a clue as to how the Internet and email/SMTP works. With DomainKeys, it doesn't matter which hosts a message goes through, as it doesn't try to do hostname/IP address validations like SPF. Instead, all it does is guarantee that the message has the correct authorization for the From: address domain.


There are issues with DomainKeys with any service that _alters_ mail, such as many mailing lists, that will cause false negatives like SPF. These, at least, have a possible means of being fixed (most mail list software needs only a slight config tweak to make work with DomainKeys) unlike SPF's issues.


When it comes to mail, guys, you can't just evaluate it form a "good DNS usage" standpoint. Mail also uses SMTP. From an SMTP standpoint, SPF is horrendously broken.


1 to 1 of 1
  1. SPF is broken
    2007-05-27 23:23:43  ale2006 [View]

1 to 1 of 1