Security – How to choose email SPF qualifier

emailSecurityspf

I'm helping manage a domain that seems to have been given a bad reputation spam-wise, as we get a lot of emails bounced. I am told that it's suspected the domain has been used by spammers to send emails. I don't fully understand email security yet but am hoping that choosing the right SPF strategy will help. The options given by our web host service are:

  • Fail
  • Softfail
  • Pass
  • Neutral

What do these options actually do to affect the way emails are sent (and received). And is there any configuration necessary on email clients or elsewhere?

Best Answer

What do these options actually do to affect the way emails are sent (and received).

Pass - the mail could be accepted for further processing
Neutral - result interpreted like NONE (no policy).
Fail - the mail should be rejected.
Softfail - a debugging aid between NEUTRAL and FAIL. Typically, messages that return a SOFTFAIL are accepted but tagged.

SPF FAIL policies can be an effective but problematic tool. A typical example is a user that wishes to send an email from a private PC or a mobile phone: the user uses their corporate email address but may use a different outgoing SMTP server which is not listed in the SPF record. The corporate domain may therefore be secure by blocking all email that does not originate from themselves, but have thereby limited some of their own users. Many organizations consider this compromise acceptable and even desirable.

SPF PASS is useful for authenticating the domain for use as a parameter to a spam classification engine. That is, the domain in the sender address can be considered to be authentic if the originating IP yields an SPF PASS. The domain can then be referenced against a reputation database.

SPF results other than PASS (used in combination with a reputation system) and FAIL cannot be meaningfully mapped to PASS and FAIL. However, a reputation system can easily track independent reputations for each SPF result, i.e. example.com:PASS and example.com:NEUTRAL would have different reputations, and ditto for the other results. This approach is useful even without whitelisting plain forwarders, since the FAIL results from the plain forwarders simply accrue an independent reputation.

The meaning of PASS, SOFTFAIL, FAIL is sometimes incorrectly interpreted to mean "not-spam", "maybe-spam", "spam" respectively. However SPF does nothing of the sort. SPF merely offers an organization firstly the means to classify emails based on their domain name instead of their IP address (SPF PASS); and secondly, the means to block unauthorized use of their domain (SPF FAIL).

Also I would recommend to read mini faq, it's just recommendations/suggestions how to avoid falling into the black lists

Related Topic