Between a lack of widespread adoption and a small volume of messages being curtailed under it, sender policy framework – once believed to be a potentially effective spam fighting technology – may not be anywhere near the spam fighter its supporters thought it to be, according to survey results gathered by CipherTrust, the e-mail security company.
Two million e-mails sent to CipherTrust customers from May to July showed only five percent from domains using SPF technology or a newer standard, Sender ID, which Microsoft is backing, CipherTrust said – adding that, within that five percent, slightly more was spam than legitimate e-mail.
"The idea was that SPF would point to legitimate e-mail because spam would fail SPF checks is not true, because spammers have rolled out [SPF] records, too," CipherTrust chief technology officer Paul Judge told InfoWorld.com. "In fact, three times more spam passes SPF checks that fails it, so passing or failing an SPF check is not a strong indicator that messages are spam."
Sender ID is supposed to close up "loopholes" through which senders including spammers can fake a message origin, with organizations publishing lists of their approved servers in the domain name system, with the record used to identify e-mail senders who send to other domains using Sender ID, CipherTrust said.
On the other hand, CipherTrust said, SPF may not be stopping spam but it just might be cutting down on phishing and spoofing attacks through e-mail.
"[A]s long as spammers comply with the protocol by not spoofing the sender address, their messages will not be stopped by SPF," CipherTrust said. "But… [t]he number of Fortune 1000 companies deploying available e-mail authentication protocols has increased by nearly 200 percent since May.
"[Our] research finds that a spam message is three times more likely to pass an SPF check than it is to fail it," he continued. "Therefore, organizations cannot rely on such techniques alone to fight the spam epidemic, but should include e-mail authentication as part of their fraud and spam prevention arsenal."
