On Tue, Dec 8, 2020 at 2:44 AM Rich Kulawiec via mailop <mailop@mailop.org> wrote:
> SPF is just about entirely useless, which should surprise nobody. > This was obvious on inspection when it was announced. > > - It's no help with spam: almost without exception, every message that > hits my spamtraps passes SPF. > > - It's no help with phishing: thanks to ICANN, registrars, and > the proliferation of TLDs, phishers have their choice of hundreds of > millions of typographically similar domains. Or they can just use > freemail providers and rely on the gullibility of recipients. > > - It's no help with forgery for the same reason, and for another: > mass compromises of email accounts are commonplace (see: Yahoo). > > It's never worked. It's not working. It's not going to work. > I'll disagree, SPF is extremely useful for antispam, and even for antiphishing. It's not useful as "did it pass or not" type of obvious flag, sure. It's mostly useful in terms of "pass", less useful in terms of "fail" though not entirely. The utility comes from identifying a "who". Do spam filters still use IPs as a strong signal? Yes. Why? Because it's an identity that (mostly[1]) can't be spoofed and ties past behavior to. SPF and DKIM both do the same thing, they attach a strong identity signal, and should be used in much the same way... note that DKIM explicitly says that failures should be ignored. SPF's policy signal was always weak, and should be ignored by modern receivers which have a diverse set of mailboxes and want to support their users doing what users do. If you instead want to play BOFH in your domain, of course that's your purview. Yes, spammers and phishers can create as many new domains and SPF records for them as they want, but those things can't match those they are trying to pretend to be. This makes it easier to separate the good from the bad. I'd even say that it makes it easier to programmatically compare look-alike domains to know what is good and what is bad. It's also helpful to senders who don't want to be tied to their existing IPs, SPF & DKIM allow them to add IPs or move IPs with fewer issues, since their reputations move with their domains instead of being tied to IPs. There are cases where the differential between DKIM and SPF can be useful. The DKIM replay spam attacks a couple years back come to mind, where the fact that most messages aren't forwarded and DKIM/SPF is the same, means differentiating made it easier to spot the replays and learn they were bad. One should also be wary of potentially bad SPF records. Unless you're Apple whitelisting your entire class A, most broad records should be looked at skeptically, unless you want spammers to find them and exploit them. And yes, SPF & DKIM and the usage of that for antispam/anitphishing does increase the desire of spammers/etc to compromise accounts. I don't think that's a reason to abandon SPF. Obviously you want to work to secure your users' accounts for a variety of reasons. Looking at any of these things as the solution to spam is of course incorrect, but they are part of the tools we have, and together those tools can do a pretty decent job. I don't really have "statistics" on the utility of SPF, but nearly every rule we create relies on it at some level. It's a pretty fundamental part of our system. Can you make an equally strong system without it? Maybe. Brandon [1] One should also be wary of incorrectly written broad SPF records. Unless you're Apple whitelisting your entire class A, most broad records should be looked at skeptically, unless you want spammers to find them and exploit them. See also DNS hijacking or BGP spoofing as well.
_______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop