Sender Policy Framework

Ruminations about spam, spammers, and Mail System Heroes wannabes.

Follow directions at the top of the Community page for editing instructions. Thank you for your contributions to this page!

How ToonTown was

The SMTP protocol has always been one of the main features in our beloved, bright, cheerful and slightly nonsensical global village, where the normal laws of physics don't necessarily apply. BBSes Sysops became Internet providers as inter-network connections grew. Authentication schemes have always been boring, thus nobody cared much. There was no spam, though. Of course, there were flame wars, mail bombs, and similar toys.

Commercially, the Internet was no big deal. In 1996, Microsoft™, to make a relevant example, presented a 32 bit Messaging API (MAPI) and an Exchange client without bothering about SMTP compatibility. When, unexpectedly, the Internet had success, they steered their mailing model so sharply that it stroke sparks on the asphalt.

As more and more people jumps on, plans for building huge freeways also arise...

Spammers and anti-spammers

Spam emerged around the turn of the century, and has been following the Internet trend thereafter. Spammers evolved from amateur hooligans into professional criminals earning a relevant amount of money from their activity. Governments and institutions have been unable to provide much support. Different Countries and political parties have different opinions about where exactly lies the boundary between legitimate and illegal behaviors. However, even if most spammers act illegally under any point of view, in no State the police is actively seeking them. The article Trench Warfare in the Age of The Laser-Guided Missile briefly summarizes that evolution during the last decade.

Currently, it is up to each postmaster to implement anti-spam solutions. The most effective ones are black lists and content filtering. There are commercial products for both techniques: spam pays twice. However, neither solution is complete, and the search for a silver bullet is open. SPF is a candidate.

SPF and the IETF/MARID case

SPF blocks a very little amount of spam. Even if most spam has bogus sender addresses, the number of sites sporting an efficient SPF record is minuscule. One reason for not being massively adopted is that it is still an experimental protocol. If SPF were an official standard, damages resulting from spam could be claimed from companies failing to provide a suitable SPF record. Such an hypothesis would prompt for setting those records up.

How does it come SPF is not a standard after more than three years on the field? Microsoft™ had a deal and they filed alternative RFCs. Really, SPF didn't share more with CallerID than with, say, S/MIME. The syntax and the interactions with the SMTP protocol are different. Also, the spirit and the commercial support are different.

Yahoo! DomainKey Identified Mail

Yahoo! has been among the first players in ToonTown. Its name conveys what was the mood like when they pioneered the field. After its search engine proved to be vulnerable to spamming and Google took over, the mood perhaps changed among its operators.

The fact that signatures must live in the message's body differentiates DomainKeys and SPF. Another difference is that DKIM is covered by many patents. It can also be licensed under GPLv2, but we know GPLv2 has a bug around patent licenses. Patents don't come for free, therefore one can easily guess how will Yahoo! behave if, by chance, DKIM will be a hit. Perhaps, Yahoo! plans to earn more than Unisys did with GIFs?

DNS Black Lists

DNSBLs use the DNS protocol deprived of any hierarchical authority delegation. This is still a somewhat democratic process, as lists operators are empowered by subscribing ISPs who, in turn, gain their relevance from the number of their active mailboxes. However, large freeways may want to do both jobs. See the article Hotmail Running Its Own SMTP Variation.

Dial-Up Lists are an interesting variation. That name is wrong, since the advent of ADSL. Dynamic is not better, as many involved addresses are static. End-user of an IP address might sound better, except that most acknowledged ISPs are actually end users of their IP blocks...

Greylisting, Nolisting, Unlisting

Greylisting is great, nolisting is not, unlisting is unreliable. All of them are hacks: if any of those will ever become relevant enough, spammers will upgrade their protocol compliance in order to defeat it. Contrast that with SPF, that will only become effective when a relevant number of organizations will have adopted it.

Complaining

I still spend some time, on occasions, seeking the mail service provider responsible for some innocent looking spam, and complain with them that I've received an unsolicited commercial email that I never asked for, that they spammed, say, an info address not published on any regular directory. Sometimes, when I'm lucky, I eventually get a positive answer: The last one just said

Hello,

 

The mailbox you specified has been closed.

 

Best regards,

Lycos-Europe Abuse control team

I often print that out and hang the sheet on the wall, until it eventually falls down, reaching for oblivion. So much work by various people for just one mailbox... Yeah, others have fully automated processes featuring one click spam reporting. I'm not sure it is always clear what happens after that click, perhaps an IP address is grabbed from a Received header and thrown into a black list, or the content is parsed by some Markovian filtering engine in order to feed some statistical data. Rather than wander if that feature satisfies some innate sense of justice, I recognize it timely fulfills the transient anger that spam generates. Something along the line of We don't have to beat spammers, we can cope.

Conclusions

The reason why Governments and institutions don't seriously fight spam is that the Internet has not yet been fully understood. Email, with its millions of not-yet-paying messages, is a prominent promise for business and it is not yet clear who will earn big money from it. Commercial spammers and anti-spammers will only survive until their prey-predator equilibrium remains steady. Therefore, if we want to get rid of spammers, we must come out with a free anti-spam solution.