Sender Policy Framework is a authentication system for emails. What this “framework” does it to “validate” the sending server domain name (as recorded at EHLO) and the email return address of that particular email (like me@domain.com). If both are the same or (the SPF record has the domain recorded as the sender), then the mail is accepted. It is to stop people from spoofing the return email address. The idea seems sound to me, because unless spammers have control over the mail server’s published DNS records, they can’t spoof it.

But is it really effective? In theory is it good but is it practical? Looking at the number of domains some webhost has under their belt, it would be almost impossible to keep track and to publish these records to their NameServers. Thus, I am sure that a lot of Webhosts and ISPs do not have SPF records and will not be doing it anytime soon. So unless there is a lot of support for SPF, mail administrators can’t be using SPF to authenticate mails because if they do, a lot of legitimate mails will be rejected or tagged as spam.

Microsoft’s Sender ID (actually taken from SPF) is a slight upgrade from Sender Policy Framework. However, it has lost so many supporters than it is no longer relevant and I believe it will soon fade into whatever hole Microsoft lives in, even worse than SPF itself.

Did someone say PTR records? Reverse DNS lookup? Yes, this will help and it is a good way to ensure that the mail server is what it claims itself to be. But again, is it practical? Doing reverse DNS is time consuming, and for organizations and ISPs with tons of emails, doing reverse DNS will probably make everything become like what you see in the Matrix Movies - “bullet” time. Yes, caching the requests will improve the speed for some, but for most (and less popular domain names), it is useless. However, it is my opinion that using reverse DNS lookup is the best way. Making sure that the SMTP server is what it claims to be and then using this information to confirm whether a server is sending spam provides a solid protection against spammers and spam relays.

From what I can see, a lot of servers still do not implement reverse DNS check for any SMTP request. Sad, but it looks like Spam will continue to work it’s way to you and me.