A new Sender Policy Framework?

[Spathiphyllum]

Anyone following this yet?

SPF is Sender Policy Framework

SPF fights email address forgery and makes it easier to identify spams, worms, and viruses.
Domain owners identify sending mail servers in DNS.
SMTP receivers verify the envelope sender address against this information, and can distinguish legitimate mail from spam before any message data is transmitted.

Just found out about it by reading some DNS diagnostics material. This new standard for email is slowly being introduced with an implementation date for October... I had no idea. Is this just marketing or did I miss the meeting on some major announcement?

[G.Bloke]

I've heard a lot about it - however I wasn't really aware that it was being rolled out for October. From what I heard it wasn't really going to be in widespread use for at least another 12-18 months. It will cause widespread chaos if it is online by October. I can't be the only one who has sent email with a 'myname@mydomain' "from" address through the mail server of my ISP - lots of people do it either intentionally or unintentionally due to invisible mail proxies.

I can see it potentially being popular with Webmail setups like Hotmail because they can finally ensure that no spam is sent from forged addresses.

[jason]

SPF, at least initially, should be treated as a tool for handling spam, but not as a be-all-and-end-all solution to it. Mail server ops that choose to implement SPF checks should only be using it as one test in their series of tests for spam, and until the practice is widely accepted, treat it SPF failures with very low weight. For example, in SpamAssassin an SPF failure only carries a weight of between 0 and 0.875 points (where 5 points is generally the score needed for a message to be considered spam).

With so many ISP's blocking port 25 on their networks and most users having no control over DNS settings for other domains that they send mail from it is going to be a while before an SPF failure can be a reliable method of identifying spam. Hopefully, if SPF catches on, ISP's will start to lift their port 25 blocks. Time will tell.

At the same time, if receiving mailservers are too harsh on failing SPF checks, mail senders will just set up SPF records to allow all SMTP servers to validate, and the system will collapse on itself.

SPF sounds like a good way to combat spam. How well it actually works will depend on how well it is implemented. As long as the "big guys," like Microsoft, Earthlink, Yahoo, and AOL don't put too much weight on SPF in the begining then it should work.

--Jason

[Spathiphyllum]

Looks like Apache is in no mood for SPF:

Apache project rejects Sender ID proposal

Guess I can safely ignore SPF now since I trust those Apache people.

[jason]

I knew Microsoft was an early adopter of SPF. I didn't know they created it...

--Jason

[Connie]

Not sure this applies but all of a sudden I'm having trouble getting mail through to AOL customers. There is no bounce from the PostMaster, the mail just does not get delivered.

I discovered this a few days ago when a customer e-mailed for a return authorization. I responded. A few days later I got a second e-mail. I responded and then followed up with a phone call.

From my two responses the customer only received one and that was 24 hours or more after I sent it.

[Spathiphyllum]

Not sure this applies but all of a sudden I'm having trouble getting mail through to AOL customers.

Well who knows what else AOL is up to but that does sound suspicious. You might want to send an email from your web server to your home address to see what the headers are. I'm assuming that it is your web domain software that is dynamically creating and submitting the email.

Once you get your self-emailed email, assuming again that you get it, compare the headers to the formats that have been blessed by the SPF described earlier. That might get your troubleshooting started.

[Connie]

Spath you completly lost me... I have my e-mail client set up to send all e-mail through Jag.

I use 2 ISPs and both block port 25. I don't mind sending e-mail through the ISPs except it requires having several different addresses set up for each account that I might send from.

As far as I know AOL is the only ISP that I have trouble sending e-mail to. If AOL sent a bounce message then I would know the e-mail was not deleviered and would know to do something else. They don't so when I reply to someone from AOL I assume the e-mail is delivered.

I'm farily certain that Jag severs are not on an AOL spam list. The last time this happened there were a lot of complaints in regard to AOL. To date mine is the only one.

I don't know what AOL is doing, and apparently it is not affecting everyone. To me it is serious. If I reply to a customer and they do not receive the reply I end up with a disgrunteled costumer.

If I respond to a potential custeomer and they don't get the e-mail then I loose business.

I wish AOL would be consistant. Then I remember why I quite using AOL as an ISP.

Just a rant that know one here probably has an answer to. I had to vent somewhere and this looked like a good place.

[Spathiphyllum]

Clssam, I think I misinterpreted your post. I was under the impression that you had a webserver program that was using sendmail or other MTA to handle mail for that program. A shopping-cart script that sends an email confirmation for shipping or sales or an automated bulletin poster could be too dated to follow this recent implementation. If the script is not set up to provide the SPF-qualified header, then AOL mail servers might not process the mail and dump it as spam (or process it some other way, I dunno).

If you used such a script, and that script provided such a function, you could test by processing a fake order, or fake email, to yourself at your personal mailbox. Then retrieve your email and scan the headers. Compare those headers to a fully qualified SPF header (as observed on the SPF website) and see if some header component is missing.

If your only issue is routing of email through your ISP from your desktop email client, then I don't know what to suggest without a lot more information. And even then I probably don't have an answer.

Sorry about the confusion.

[baldtechnologist]

Interesting topic. I came to the boards because my wife has just received a couple of non-deliverable message notices, neither from AOL. Her domain is set up on my account (domain pointer), so she has to use my SMTP settings and login with hername@mydomain.com. This development is rather disconcerting to say the least.

Does anyone have any ideas on how this can be fixed for multi-hosted domains?

[Ron]

JAG's policy of bouncing emails that contain certain filetypes (.exe, .pif, etc.) caused my server to be blacklisted by spamcop or spamnet or one of those. While the listing goes away in 2 days if no more reports are filed, those two days can be devastating. The spam service doesn't want you to bounce such messages, as the sender is nearly always spoofed, and results in more net traffic and confusion. (there is more than one point of view on this policy, but that is theirs.)

According to a certain tech, JAG turned off the AV bounce on my server, though I am not sure if it was for a single type or for all types. I was able to work between JAG and the spam service to get the blacklist removed nearly immediately.

Good luck.