Educause Security Discussion mailing list archives
Re: SPF
From: Joe St Sauver <JOE () OREGON UOREGON EDU>
Date: Mon, 7 Mar 2005 10:43:10 -0800
Hi Theresa, #Do any of you have SPF implemented? If so, have you had any issues or #complications with it? Has your user community had any comments concerning #it? Some thoughts on SPF: -- It isn't an anti-spam thing, it is an anti-spoofing thing. If you're getting killed by ebay phishing or citibank.com phishing, for example, it may help. On the other hand, other commonly seen phishing targets (such as wamu.com) aren't publishing yet. -- SPF is really two things: checking SPF records for inbound mail, and publishing SPF records covering your own network space. You may want to implement only one or the other; you need not implement both at the same time. -- It is possible to write SPF records of varying degrees of strictness, and because of that, it is possible to publish a record that is so broad and so soft that it does very little to address any real or perceived problem; conversely, you can write a record that is very tightly constrained and strict ("dash" rather than "squiggle" or "question mark" records) -- The corner cases for SPF are well outlined in Meng Weng Wong's SPF whitepaper, available at http://spf.pobox.com/whitepaper.pdf Forwarding is the most commonly mentioned problem; some also may point at DNS load for some particularly painful SPF records (like rr.com's). Bottom line, I'd encourage you to consider either publishing your own records, or checking others, or both. Regards, Joe ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.