LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

Interview: Kristen Carlson Accardi

LWN.net Weekly Edition for July 24, 2008

Tracing: no shortage of options

Interview: Wind River's John Bruggeman

LWN.net Weekly Edition for July 17, 2008

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

If SPF is too complex try CSV/CSA

If SPF is too complex try CSV/CSA

Posted Apr 10, 2008 18:03 UTC (Thu) by copsewood (subscriber, #199)
In reply to: Backscatter increase clogs inboxes by dlang
Parent article: Backscatter increase clogs inboxes

I think there are 2 reasons SPF hasn't delivered much help in practice.

  1. Not much use other than to help with whitelisting known good domains. It pushes the problem back from knowing what the good and bad IP addresses are to knowing what the good and bad domains are, but only helps here for known good domains with SPF records consistent with email envelopes.
  2. It tries to go too far and ends up too complex and difficult to maintain. (I've implemented SPF and believe me, it's a mess). If there is any regular change in where your domain email users want to send their mail from, maintaining a useful SPF DNS record becomes unlikely.

Knowing which domain is responsible for a sending MTA is likely to be easier than knowing which addresses an envelope From: (not the header From) can reasonably be sent from. The Microsoft take on SPF, SenderID is even worse because it tries to validate the header From and related headers.

If it is more easy to know good from bad domains than good from bad addresses, CSV-CSA provides a much simpler check of the domain responsible for the sending MTA and doesn't care about any envelope or body headers beyond the HELO/EHLO greeting. Presumably if the MTA is run from a well managed and reputable domain, the rest of the message is more likely to be authentic. For those particularly interested in message authenticity (useful if you want to know a message claiming to be from your bank is actually from your bank) then DomainKeys can be used to give stronger assurances. However, DomainKeys isn't reliable for mail going through mailing lists or other gateways that mangle the body or headers of the message.

(Log in to post comments)

If SPF is too complex try CSV/CSA

Posted Apr 12, 2008 19:46 UTC (Sat) by kevinbsmith (subscriber, #4778) [Link] 

For those of you who don't naturally think in RFC-speak, here is a gentler introduction to
CSA:
  http://www-uxsup.csx.cam.ac.uk/~fanf2/hermes/doc/antiforg...

It's still not quite as "plain English" as I would prefer, but it's not bad. I would be
interested to hear other opinions about a) how much good for individuals who adopt it
tomorrow, b) the likelihood of it being widely adopted, and c) how much good it could do if
widely adopted.

I'm still sad about SPF. The worst part was when I set up both email hosting and outgoing smtp
services at pobox.com (who themselves were among the SPF originators), and was still unable to
find or get a simple recipe for configuring SPF.

If SPF is too complex try CSV/CSA

Posted Apr 17, 2008 11:07 UTC (Thu) by copsewood (subscriber, #199) [Link] 

Good article thanks. I think that SPF is probably redundant, because if you want to know the
sending MTA is responsibly managed CSV/CSA together with a domain reputation system is
probably better. If you want to know the message is authentic, Domainkeys offers a better
solution. I don't think there is much overlap in function between Domainkeys and CSV/CSA but
SPF tries to overlap both and does neither job well.

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds
Powered by Rackspace Managed Hosting.