Friday, February 11, 2011

I've been fettling our email system at work - implementing a proper, locked down SPF, and DKIM signatures on all outgoing email.

SPF has been fantastic at cutting down the amount of SPAM coming in from forged domains - yahoo, in particular. So I have been looking round at how other domains implement SPF.

A lot of domain admins seem to misunderstand it. The presence of an SPF validated sending IP address is no statement of HAM-ness of the email. However, the absence of one in a domain locked down with -all most certainly is.

Enter a big UK bank - let's call them Hickleys. They have SPF set up on email.hickleys.co.uk, and it's -all too, meaning that it's definitive: if the IP address isn't in that definition, then it's a fake. Fantastic.

The only problem is that hickleys.co.uk doesn't have any SPF entry at all. So I can  go forge email from fraud@hickleys.co.uk and send it to the world with no SPF cover whatsoever. Which member of Joe Public is going to realise that all email from Hickleys has to come from email.hickleys.co.uk, not hickleys.co.uk. And blocking email from the TLD, and allowing it through from the email subdomain is interesting to say the least.

Then, of course, there are all the little players out there running with a +all SPF setting. There is a delightful little Canadian firm of Lawyers who's email domain is spammed a lot (by third parties, obviously) at work, because they have said "anyone, anywhere in the world can send email from us" in their SPF definition...

(That's SPFending with +all)