What if everyone used SPF?

To end my SPF series, I’m going to consider the following question: what if everyone used SPF? Would it “end” spam?

The answer is, of course, “no, but…”. But, first, let’s understand the question itself.

In “everyone used”, what does “used” mean? If you followed my previous posts on this subject, you’ll know that there are two distinct parts: having an SPF record for your domain, and configuring your SMTP server to reject email purporting to be from an address with a valid SPF record, when it doesn’t come from an authorized server.

Let’s assume that the question implies both.

So, if every legit organization had an SPF record and enforced SPF in their incoming email servers, what would it mean?

It still depends on what was meant by “enforced”. For instance, as it is now, it makes sense to use an SPF record (and reject mail coming from an unauthorized server, as I mentioned before), but not to require an SPF record, as most of the world is still not using it.

If that changed, though… it would certainly make things a lot easier for the “good guys”. Think about it: what does SPF prevent? The faking of sender addresses. Who ever does that? Spammers. Therefore, who has ever a reason not to use an SPF record? Spammers. In a world where every legitimate organization used SPF, having such a record wouldn’t mean that the sender wasn’t a spammer, but not having one would certainly mean that he was. Ergo, reject any mail from a domain without an SPF record, even before verifying whether the origin server is authorized for that domain.

Of course, spammers would adapt, and have SPF records for their own domains. But never again would they be able to fake a sender address. They would never again be able to efficiently pretend to be your internet provider, or your bank, or Facebook, or anything like that. They would have to use their own domains in the sender address… and they don’t exactly tend to look “nice”; besides, they’re not what your ISP or your bank would use.

A world with SPF would mean a world where you could actually trust the “From:” field. Can you imagine such a thing?

Tags: , , ,

11 Responses to “What if everyone used SPF?”

  1. Vítor Pires says:


    Despite believing it could help it’s still possible to use a “sender/return-path” header with a different domain “from” header and the one which is checked is the “sender” one which is the right way in my view.

    Imagina the “send to a friend” functionality in some websites. You want it to be identified as you sending but the actual sender to be the site itself so it won’t be marked as spam. Of course this could be used by some spammers to send mails but still obey to the spf check..

  2. “The faking of sender addresses. Who ever does that? Spammers”

    You confuse Spammers and Phishers, not exactly the same kind of people.
    Even if SPF was adopted by the World, SPAM wouldn’t stop. SPAM exists cuz people react to it, meaning in this case people go see the site and perhaps buys the product. For this kind of people doesn’t matter the sender’s domain, only the Subject, if it’s about viagra and they have a small dick they will open it. Today most SPAM comes from domains senders that has nothing to do with the PUB on it

    Who normally sends fake senders address are phishers, but this wouldn’t stop phishing, cuz the real problem is people’s brains size.

    • Well, I was using “spammers” as a catch-all term for “bad guys who send email”. Besides, most anti-spam systems treat phishing emails as a form of spam (e.g. Gmail’s spam folder, or SpamAssassin.) However, in my experience a lot of them (actual spammers trying to sell Viagra, not phishers) really fake their email addresses — for instance, using the destination address as both the “From:” and the “To:”. If they are prevented from doing that, it makes it possible — not easy, but certainly doable — to have a sender domain black list, which would, I think, help a lot.

      • Exactly, Spammers fakes emails senders cuz they don’t wanna buy domains, not because is important for the SPAM to successes, and making “From:” and the “To:” the same proves it. SPF world implementation would give godaddy and alikes a little more money, but wouldn´t stop spam. RBL’s would have names instead for numbers, not a big difference, i think.

        I could buy one domain, myspam.org, and making thousands of subdomains for free using it for senders address.
        If the RBL’s instead of listing all my subdmains, decides to block all with something like *.myspam.org, i would buy some subdomains on co.uk making spam from it, doing a mail DoS to all others legitimize co.uk submains. Not that easy to make an domain black list is it?

        • The point of things like these is not to perfectly end spam, just to make things more difficult for spammers (and, in case of SPF, mostly for phishers, as you say). The fact that something isn’t a 100% perfect solution for a problem doesn’t mean that it isn’t still a good idea.

          I don’t know if a domain black list is viable, and it wouldn’t be a magical solution, of course, since, again as you say, it’s just a matter of registering a new domain. But there’s still that additional effort (and expense). In an SPF world, a new domain would have no more than hours of spam sending before being universally blocked for good. Nope, again this wouldn’t end spam. But spam works because it’s incredibly easy and cheap to send millions of emails; everything that makes it even a tiny little bit less easy or cheap makes a difference.

  3. woolworths offers

    What if everyone used SPF?

  4. Freedom Mentor Reviews

    What if everyone used SPF?

  5. Freedom Mentor

    What if everyone used SPF?

  6. Eric Gonchar says:

    Eric Gonchar

    What if everyone used SPF?

Leave a Reply