Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: SPF

From: Joe St Sauver <JOE () OREGON UOREGON EDU>
Date: Mon, 7 Mar 2005 10:43:10 -0800
Hi Theresa,

#Do any of you have SPF implemented?  If so, have you had any issues or
#complications with it?  Has your user community had any comments concerning
#it?

Some thoughts on SPF:

-- It isn't an anti-spam thing, it is an anti-spoofing thing. If you're
   getting killed by ebay phishing or citibank.com phishing, for example,
   it may help. On the other hand, other commonly seen phishing targets
   (such as wamu.com) aren't publishing yet.

-- SPF is really two things: checking SPF records for inbound mail, and
   publishing SPF records covering your own network space. You may want
   to implement only one or the other; you need not implement both at
   the same time.

-- It is possible to write SPF records of varying degrees of strictness,
   and because of that, it is possible to publish a record that is so
   broad and so soft that it does very little to address any real or
   perceived problem; conversely, you can write a record that is very
   tightly constrained and strict ("dash" rather than "squiggle" or
   "question mark" records)

-- The corner cases for SPF are well outlined in Meng Weng Wong's SPF
   whitepaper, available at http://spf.pobox.com/whitepaper.pdf

   Forwarding is the most commonly mentioned problem; some also may
   point at DNS load for some particularly painful SPF records (like
   rr.com's).

Bottom line, I'd encourage you to consider either publishing your
own records, or checking others, or both.

Regards,

Joe

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.
Previous By Date Next
Previous By Thread Next

Current thread: