I agree that SPF is a bad idea, or at least one that demonstrates
insufficient understanding of the way SMTP is used in the real world.
However, i can tell you from firsthand experience that joe jobs are a
real problem, and I can certainly understand why the victims of them
would be tempted to use anything that claims to be a solution. Not only
are joe jobs a problem due to blowback bounces, but also because they
harm the reputation of the victim domain, leading the domain to land on
private blacklists with no recourse for getting off.
Of course, anyone tempted to publish an SPF record as a solution to joe
jobs needs to realize that it's only a solution to the extent that people
check the SPF records, and considering the type of blowback I've been
seeing, many places are still doing little or no spam filtering in the
first place, let alone checking something as questionable as SPF.
It's also worth noting that forged mail is not limited to phishing
attempts; I consider phishing to be a separate problem.
Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds