Re: do you use SPF TXT RRs? (RFC4408)

[Douglas Otis <dotis () mail-abuse org>]

 On 10/4/10 12:47 PM, Greg Whynott wrote:
> A partner had a security audit done on their site.  The report said they were at risk of a DoS due to the fact they 
> didn't have a SPF record.
>
> I commented to his team that the SPF idea has yet to see anything near mass deployment and of the millions of emails leaving our 
> environment yearly,  I doubt any of them have ever been dropped due to us not having an SPF record in our DNS.  When a client's 
> email doesn't arrive somewhere,  we will hear about it quickly,  and its investigated/reported upon.      I'm not opposed to 
> putting one in our DNS,  and probably will now - for completeness/best practice sake..
>
>
> how many of you are using SPF records?  Do you have an opinion on their use/non use of?
It is ironic to see recommendations requiring use of SPF due to DoS 
concerns.  SPF is a macro language expanded by recipients that may 
combine cached DNS information with MailFrom local-parts to synthesize 
>100 DNS transactions targeting any arbitrary domain unrelated to those 
seen within any email message.  A free >300x DDoS attack while spamming.

SPF permits the use of 10 mechanisms that then require targets to be 
resolved which introduces a 10x multiplier.  The record could end with 
"+all", where in the end, any message would pass.  Since SPF based 
attacks are unlikely to target email providers, it seems few 
recommending SPF consider that resolving these records containing active 
content might also be a problem.

-Doug