AOL has started testing Sender Permitted From (SPF).
SPF is an attempt to restore some sanity to the Internet mail system. Under SPF, a mail domain provides a DNS record that lists all the IP addresses that are permitted to send mail as that domain. So, you couldn't send a message claiming to be from aol.com if you were not really aol.com. To most people, this sounds like it's the way things ought to be. But some technically knowledgeable people think otherwise.
SPF is so modest in what it tries to do, I really don't understand the objections.
I get the impression that people are starting to get serious about fighting spam through technical means. I predict that some kind of sender authentication becomes adopted by the biggest email service providers in 2004. Yahoo likes Domain Keys. AOL apparently likes SPF. If I were a betting man, I would put my money on SPF, or whatever it eventually morphs into.
There are some really nice things about SPF. Foremost, it's such an incremental step that it's easy to see how it would come to be widely deployed. There's no disruption. Besides that, it makes the sending domain more important, which places a cost on spammers. That cost would provide the economic disincentive against spam. Here's how it works: Instead of blacklisting IP addresses, which are plentiful, we blacklist domain names, which are less plentiful. We reject mail from domains that were registered within the last three months, which would prevent the current practice of spammers registering a new domain name every time they begin a new campaign. Or, it means that spammers would have to keep several months' inventory of domain names that are not blacklisted. In any case, a domain name that's eligible to send mail from becomes a scarce resource, which could put the squeeze on spammers.
I have to wonder about AOL, though. They blacklist every IP address that's assigned to a residential user. And, for their subscribers, they redirect outbound TCP port 25 to their own mail servers. With SPF, they wouldn't need either of these measures. Would they change their policy?
And one final thought about SPF that I have not heard mentioned by anyone else. Domain names are recycled. Before you register a new domain name, how can you know the history of that domain name? More specifically, how can you know whether or not that domain name is on any blacklists? There are just too many blacklists with too many policies, so the chances are, if that domain name was ever used by a spammer, you wouldn't be able to send mail reliably from it.
Posted by Doug Sauder at January 22, 2004 08:01 PM