Sender Policy Framework (SPF): What is it and How it Helps Against E-mail Spam?

Have you ever received an e-mail you supposedly sent to yourself? Judging by the subject line, the e-mail you apparently sent is, without a doubt, a spam. What was your initial reaction? Does alarm bells ringing in your head sound familiar? The last thing you (or anybody for that matter) would want to happen is to have your e-mail automatically disregarded as spam or junk e-mail. Since spam has become such a plague, you can easily identify an e-mail as spam so the tendency is to block the sender. But how can you do that if the sender is someone you know and regularly communicate with, or worse…yourself.  Besides, blocking the e-mail address doesn’t seem to help much since these spam messages keep coming back via different e-mail addresses. Something has to be done and somebody (or a group of them) did.

Ages ago, people were ecstatic when technology brought us e-mail and now, one can barely remember how he or she managed life without it. The thing about breakthroughs like this is that more often than not, there’s a catch. To e-mail, it’s Spam. And that didn’t seem enough because professionals found ways to alleviate these unwanted e-mail one way or another so e-mail forgery eventually emerged. By forging e-mail, spammers are able to go around the initial solution to address spam by spoofing or stealing e-mail addresses for the purpose of getting through spam filters. In this sense, spam still prevails somehow and people are still crying ‘foul’ so a group of concerned volunteers got together in 2003 and developed Sender Policy Framework (SPF) to help address the problem.

So, what exactly is SPF? Sender Policy Framework (SPF) is a protocol that is primarily developed to address forged e-mail. It is an open standard, meaning it is royalty-free although still within specific restrictions, which states a process that prevents e-mail forgery. It inhibits forged e-mail from getting into the server of domain owners by verifying if the e-mail came from a legitimate source or not.

How does it work? Just like with traditional letters in paper where senders are identified through the envelope and letterhead, e-mail likewise identifies sender through the equivalent of envelope sender address, often referred to as return-path. Generally, it is not displayed by mail programs for users to see but they are used as reference in cases where there is failure in delivery. The counterpart of letterhead in e-mail is that portion where you see “From:” or “Sender:” depending on the e-mail application program being used. It is the information that is displayed for the user to see. However, there are mail servers that barely check this information as the contents can be misleading. Focus is more centered instead on the return-path as it how the original sender can really be determined.

SPF requires domain owners to publish their mail sending policy for it to work, according to openspf.org. Such policy identifies the mail servers used in sending mail from the domain among other information. To explain the process, let us assume that you are a domain owner. By publishing the mail sending policy of your domain in its DNS Zone, the receiving server of the e-mail that claims to have come from your domain will check the e-mail in question if it complies with your published policy. If it checks out, it will be verified as legitimate e-mail. Otherwise, it will be considered as fake or forged e-mail. With SPF in place in your mail servers, it will likewise perform similar checking process so you will be confident that the e-mail you receive indeed came from where it claims to have come from. 

For the technologically savvy who wishes to battle e-mail forgery, you can install applications that supports SPF and check out the Hosted Software, Implementation and Specifications on using SPF along with SPF Record Syntax at openspf.org that would guide you through the whole process. They likewise have Forums and Tools that techies will no doubt find quite useful.

To the technologically challenged, however, one might easily be lost in all the technical jargon while some may not have the time nor the inclination to learn all that and would rather leave it for the professionals to handle. This is because the SPF technology has not yet reached the user-friendly status like most software and internet stuff for common mortals to use. But the bottom line is, something is being done to help keep forged e-mail from your inbox and keeps spammers from stealing your e-mail address to use for their nasty business and hurt your integrity in the process.

SPF does not claim to stop the proliferation of spam altogether but it is something that domain owners can use to help alleviate the problem. This is grounded on the concept that although not all spam may be forged, nearly all forged e-mail falls under the category of spam.

As the SPF process requires the participation of the sending and the receiving mail servers, its success is highly dependent on having as many supporters as possible to win this battle against e-mail forgery. Fortunately, more and more domain owners, ISPs and application developers support SPF over the years. This could be due to the open standard nature of SPF so it is not hampered by lots of limitations. Moreover, the SPF Council is into enhancing the current version of SPF.  Check out www.openspf.org, especially the FAQ section, for more details on SPF.