The Sender Policy Framework (SPF), formerly Sender Permitted From, is an extension to the older mail sending protocol, Simple Mail Transfer Protocol (SMTP), which provided almost no sender verification of e-mail. SPF makes it easy to counter most forged "From" addresses in e-mail, thus helping to counter e-mail source address spoofing.
When a user sends you mail, an e-mail server connects to your e-mail server. When the message comes in, your e-mail servers can, based on SPF published
AOL is a big supporter and deployer of SPF. It recently pulled out of development of Sender ID, another mail verification protocol. SPF is deployed around the world; the e-mail servers of more than 86,000 domains use the authentication technology, as of this writing.
SPF is not an IETF standard yet, but it has a good chance of becoming a standard, and will be submitted soon. SPF is not expected to totally eliminate spam, but it's another weapon in the fight against spam and phishing.
Some spammers love SPF
Although legitimate e-mailers are starting to quickly adopt SPF, apparently spammers are adopting it faster. A recent study by CipherTrust (www.ciphertrust.com) showed that 34% more spam is bypassing SPF checks than legitimate e-mail. This means that a spam message is three times more likely to pass an SPF check than to fail it, as long as the address is registered. As long as spammers comply with the protocol, register their SPF records and don't spoof the sender address, their messages will not be stopped. What this really means is that one e-mail authentication solution alone will not stop the tide of spam; it's just one part of a fraud and spam prevention program.
The Sender Policy Framework (SPF)
Cisco Identified Internet Mail
PHISHING: CUTTING THE IDENTITY THEFT LINE|
By Rachael Lininger and Russel Dean Vines
334 pages; $29.99
John Wiley & Sons
Read Chapter 6, Helping your organization avoid phishing
This was first published in May 2005