A Clarification About SPF and IP Reputation

Expanding on: Steve Kille’s recent bulletin about IP reputation. SPF isn’t exactly a “reputation mechanism” — although it can be used to help identify the sender, in order to make improved reputation-based decisions.

SPF, DKIM, and other “sender authentication” schemes help a receiving MTA decide if it knows which domain sent a message. For example, SPF can tell if the sending IP address 1.2.3.4 is authorized to send mail claiming to be from example.com and DKIM can tell if the incoming message was signed by example.com’s private key.

If the receiving MTA knows the sending domain, it doesn’t need to rely on the reputation of the sending IP address, which can be a blunt instrument. It allows domains themselves to have reputations. It’s especially useful for whitelisting known-good domains, so that mail from them doesn’t fall victim to the false-positive problem.

(Another common way of describing SPF et al is: mechanisms to detect forgeries, which amounts to the same thing but in a different context.)

Richi Jennings

One Comment

  1. Chris Lang
    Posted May 29, 2008 at 3:41 PM | Permalink

    True, SPF, DKIM, DomainKeys and Sender ID are not in and of themselves a reputation mechanism. However, I do feel that email authentication protocols are definitely part of the ISPs reputation evaluation of your email server IP address.

    The fact that you have DomainKeys or DKIM in place has been verified by Yahoo saying that you will face more extensive filtering if you do not have them in place furthers my feelings on this.

    Having SPF / SenderID and DomainKeys / DKIM in place is just a part of what the ISPs (Yahoo, Microsoft, AOL and Gmail) want as part of what in is now known as email reputation. Also most of these ISPs will not consider you for whitelisting if their preferred authentication is not in place.

    This is how I look at it.

    Authentication + Whitelisting + User Feedback + AntiSpam Community = Email Reputation

    Also especially at Yahoo user whitelisting (we are talking numbers here) also has alot to do with delivery to the inbox vs. the spam folder.

  2. Posted May 29, 2008 at 3:50 PM | Permalink

    Chris, I respectfully disagree with some of what you’re written here.

    SPF/SIDF/DK/DKIM et al can help a receiving MTA use domain-based reputation (as opposed to simple IP reputation), as I said in the bulletin.

    However, no sensible recipients give senders a free or partially-free pass simply because they sign with DK/DKIM. Therein madness lies. If that were so, imagine what you’d do if you were a spammer? Yes, you’d sign your spam! It wouldn’t work.

    Your specific example is incorrect. Yahoo explicitly say that signing with DK/DKIM does not make it more likely that your message will hit the inbox. I do hope you’re not telling your customers that. I have removed the name of your company, to save embarrassment.

  3. Posted June 3, 2008 at 5:30 AM | Permalink

    SPF and DKIM allow MTAs to identify and reject forged addresses. Although this technique has proven to be useful for authenticating the sender domain, intelligent spammers can also authenticate their domains in the same way, thereby bypassing the entire system designed to keep their messages out.
    However, if each authenticated domain had in addition a reputation associated with it, then more accurate decisions could be made for each inbound message. According to Google (http://www.ceas.cc/2006/19.pdf), who uses authentication in Gmail, about 40% of the authenticated emails are spam, which forces them to implement a reputation mechanism to complete the job.

    So i think that as we are going to see vendors providing in a bundle both authentication and reputation to provide a comprehensive solution.

    Amir

  4. Posted June 3, 2008 at 9:56 PM | Permalink

    Amir, yes, this is precisely my point. Authentication enables domain reputation.

Post a comment

You must be logged in to post a comment. To comment, first join our community.