SPF - should I implement?

domain-name-system email spf

Solution 1:

Yes. I wouldn't call this subjective because there's a clear consensus; use SPF.

Implementation is very easy and it's a good thing for the internet as a whole.

Solution 2:

You are likely seeing dated references. Based on the percentage of valid email my server receives from servers using SPF, the consensus is to use SPF.

I heartily recommend setting up SPF. Setup records for your MX allowing it to send email, as well as for the domain you use in e-mail addresses. For domains that don't send e-mail setup SPF to indicate that.

I find SPF records for the e-mail server more helpful and reliable in blocking Spam than those for the sender's e-mail address.

If your server supports SPF records configure them in addition to TXT records. If you change your configuration there may be a little overhead in keeping the records in sync, but many systems can configure their SPF so it automatically adjusts to MX and address changes.

You may want to review my post on Securing your Email Reputation with SPF. My first implementation of SPF was to block a spammer who was forging a domain I provide email services for. Despite relatively low SPF penetration it was very effective in shutting them down. However, we still get spam to the forged address they created. (Its a great way to verify spammers as only spammers would use that address.)

I believe penetration of SPF on the receiving side is likely greater than on the publishing side.

EDIT: If you do use SPF records, make sure that people delivering automated mailings are aware of the requirement to get their servers added. (The server should be fully vetted as automated systems are often poorly configured and may have a profile similar to a spambot. It isn't that difficult to set the server up correctly.)

Solution 3:

Definitely setup SPF - there should be no downside (as long as it is setup properly and tested), but it will prevent other sites from masquerading as you and sending spam in your name. The reason it is good is that you are explicitly whitelisting certain servers/IPs that can send email for your domain.

I think the best proof that it is a good thing is looking at a few major email services. Just look for the 'Received-SPF' headers in the original email to see if SPF is checked. For example:

Yahoo Mail:

Received-SPF: pass (domain of example.com designates xxx.xxx.xxx.xxx as permitted sender)

Gmail:

Received-SPF: pass (google.com: domain of [email protected] designates xxx.xx.xx.xx as permitted sender) client-ip=xxx.xx.xx.xx;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of [email protected] designates xxx.xx.xx.xx as permitted sender) [email protected]

Hotmail also checks SPF (although, I believe they call it Sender-ID). Overall, it is an easy addition that can do a lot of good - both for your domain and the internet as a whole.

Related

ZFS on Linux (ZoL) and realtime replication
How do captive portal network connections work?
Postfix: change sender in queued messages
Jenkins won't serve with CA signed certificate
Moving a RAID array from one machine to another
Is it possible to move an AWS EC2 AMI from one region to another region and if so how?
install service in windows server 2008
Can you set a backup IP for your server in DNS?
How can I setup OpenSSH per-user authentication methods?
Using Upstart to Manage AutoSSH Reverse Tunnel
Powershell Parameters
Recommendations for SMTP services for massive mailing [closed]