SPF the Sender Policy Framework
Why you need SPF
by Andrew Macpherson on Apr.13, 2009, under E-Mail hosting, SPF the Sender Policy Framework
Eh wazzat? Well I suppose most of you haven’t heard about it, or if you have it’s probably in the negative context of someone’s mail not getting to you…
What is SPF then?
SPF is a nice easy way for the owners of say mybank.biz to say where they send e-mails from. Of itself that doesn’t sound too exciting. Well no, except it has an interesting consequence. If mybank.biz only sends email from mailout.mybank.biz then when your ISP gets mail which says it is from security@mybank.biz on a connection from phish.ripoff.crime your ISP knows it can throw that mail away and never bother you with it.
Sounds good, so all the banks use SPF then?
Nice thought, a few responsible ones do. Mostly they don’t yet. You might have a good argument about negligence if you got caught out, and it turns out your bank does not, while your ISP does check for you. Some of the (financially) important internet sites like E-Bay do protect their customers and themselves in this way. Others use it just to avoid being accused of distributing SPAM or viruses
So something must break, or everyone would have it
Well spotted. When the institution the mail comes from has SPF you can’t have an alias somewhere that forwards the e-mail to you, unless the ISP offering that alias is really switched on, because the machine doing the forwarding is not on the sender’s list of allowed sending machines. We can do it at OA5, but it is significantly more work, so we would rather not, thank you.
The other thing that affects people whose institution has SPF is a common mistake on some web sites. Those sites think they’re allowed to use your email address as the sender when they’re sending to you. They should of course be sending from their own address and only using your address as recipient of the mail they’re sending. Responsible sites who know what they’re doing don’t do this to start with, or quickly change when the problem is pointed out to them.
What about my Blackberry? That sends mail from the phone company’s machines, will I get blocked?
Blackberry and the phone companies know about SPF, and use the distinction between the Sender address and the From address to be able to deliver your mail.
At OA5.com we set up SPF for our customer’s domains