The trouble with SPF

Unlike SAV (also known as challenge-response systems), SPF is generally a decent idea. Basically, you publish a DNS record for your domain that lists what IPs are allowed to send mail from your domain. This means that you can say that mail sent from the host ‘’ is valid, but if a spammer sends mail from a random hijacked box in Tijuana, it will be rejected via SPF. It doesn’t target spam directly, but rather, it targets spam that spoofs the domain. (Which is probably a very good percentage of spam.)

But I’ve recently noticed a problem I hadn’t considered before: forwarders. I can easily set up e-mail addresses on my domain that will simply point elsewhere. So mail sent to (which is actually a spamtrap; don’t e-mail it) might just be automatically redirected to another e-mail address, say The headers are rewritten so that the whole thing is transparent.

The problem is that, with SPF, the mailserver that redirects the mail is effectively “forging” the headers, which means that SPF will block it. If sends an e-mail to, and it gets redirected to, it will fail if Hotmail has an SPF record. This is because gets mail saying it’s from, but the headers indicate that it was actually sent from

There’s a few workarounds, but most are sustainable:

  • The person running the original domain could add an SPF record for the mailserver doing the forwarding. This is all well and good if you’re sending mail from and wanted me to whitelist the Comcast mailserver or something, but consider the example I used, in which case you’d have to call up Hotmail and ask them to add’s IP to their SPF record. They’d laugh at you.
  • The recipient mailserver could override it. You could tell your mailserver that, if the header says, you shouldn’t check the SPF record. Again, good luck with this, unless you run the mailserver. Also, this is getting into “I could probably hack the Postfix source code to do that…” material.
  • The recipient mailserver could be configured so that SPF will check to see if any of the mailservers along the way are listed in the SPF record, and, if so, accept the mail. This sounds like a good idea to me, to be honest, but it’s deviating a bit from what SPF was meant to do.
  • The originating mailserver could stop using SPF, and this problem would go away. But then someone would send out a hundred million spam e-mails claiming to be from that domain, and they’d all go through.

Clearly, this is the type of thing that everyone is thinking about on a Friday night.

Leave a Reply

Your email address will not be published. Required fields are marked *