Thursday, October 19, 2006

SPF Records: Do it Now

Yes a lot of people complain about the problems with SPF records. However the problems with not using them are greater.

Right now I am getting hundreds of bounce back messages because spammers are spewing out messages using my domains.

The problem for the people who are using mail systems that do not check SPF records is that they do not know this spammer IP is not on our allowed list and that this is obviously spam. If their mail system was checking our SPF records they would not be getting the messages in the first place, and if it was a good mail system it would not be spewing out bounce messages for spoofed emails.

The problem for mail administrators and mail servers is that by not checking SPF records a lot of bandwidth and processing power is wasted. If they would first check SPF records before touching the mail then they wouldn't have to even deal with checking to see if the user really exists on the system, and storing the message at all. And possibly spammers would leave their servers alone since they can't get messages to it.

The problem for me is that the end users, our potential customers, who are uninformed about SPF records, spoofers and spamming, is that they may be reporting our email as spam to their service providers and our domain may get blocked - incorrectly - by mail administrators and mail systems that are not smart enough to look at the spf records to verify the mail is from a legitimate source.

If you are not using SPF records it could be harming your business and limiting your business opportunities. Let's say you sumbmit a request for a quote to some business in their web form - they reply to you but you never get it because their domain has been incorrectly flagged as spam. Or let's say you get a bunch of spam and block that domain entirely. Now suddenly you can't get mail from a possibly legitimate new customer who didn't know their domain had been hijacked.

As I write this I must warn however that someone out there, needs to be keeping an eye on all this rejected spam...as mentioned in previous posts it could actually be used as a form of communication by people who do not want you to know what they are writing! So hopefully someone out there is keeping an eye on legitmate AND spoofed and spam email messages.

To find out more about SPF records contact your mail provider, your hosting provider and take a look at http://www.openspf.org

If your mail provider tries to talk you out of SPF records - yes there are some issues with them - but you can define all the allowed servers to send your mail and that should resolve the problem and make your domain harder to steal and spoof. In most cases they try to talk to you this way because they don't know how to set it up correctly - get a new mail provider.

SPF may not be a perfect solution - but it is the only solution I know of right now that even attempts to resolve this problem. Maybe there are others that are better and I would love to hear about them, but my mail provider has received awards for secure email solutions and this is their recommendation.