If SPF is too complex try CSV/CSA
Posted Apr 10, 2008 18:03 UTC (Thu) by copsewood
In reply to: Backscatter increase clogs inboxes
Parent article: Backscatter increase clogs inboxes
I think there are 2 reasons SPF hasn't delivered much help in practice.
- Not much use other than to help with whitelisting known good domains. It pushes the problem back from knowing what the good and bad IP addresses are to knowing what the good and bad domains are, but only helps here for known good domains with SPF records consistent with email envelopes.
- It tries to go too far and ends up too complex and difficult to
maintain. (I've implemented SPF and believe me, it's a mess). If there is any regular change in where your domain email users want to send their mail from, maintaining a useful SPF DNS record becomes unlikely.
Knowing which domain is responsible for a sending MTA is likely to be easier than knowing which addresses an envelope From: (not the header From) can reasonably be sent from. The Microsoft take on SPF, SenderID is even worse because it tries to validate the header From and related headers.
If it is more easy to know good from bad domains than good from bad addresses, CSV-CSA provides a much simpler check of the domain responsible for the sending MTA and doesn't care about any envelope or body headers beyond the HELO/EHLO greeting. Presumably if the MTA is run from a well managed and reputable domain, the rest of the message is more likely to be authentic. For those particularly interested in message authenticity (useful if you want to know a message claiming to be from your bank is actually from your bank) then DomainKeys can be used to give stronger assurances. However, DomainKeys isn't reliable for mail going through mailing lists or other gateways that mangle the body or headers of the message.
to post comments)