do you use SPF TXT RRs? (RFC4408)
Douglas Otis
dotis at mail-abuse.org
Mon Oct 4 17:50:41 UTC 2010
On 10/4/10 12:47 PM, Greg Whynott wrote:
> A partner had a security audit done on their site. The report said they were at risk of a DoS due to the fact they didn't have a SPF record.
>
> I commented to his team that the SPF idea has yet to see anything near mass deployment and of the millions of emails leaving our environment yearly, I doubt any of them have ever been dropped due to us not having an SPF record in our DNS. When a client's email doesn't arrive somewhere, we will hear about it quickly, and its investigated/reported upon. I'm not opposed to putting one in our DNS, and probably will now - for completeness/best practice sake..
>
>
> how many of you are using SPF records? Do you have an opinion on their use/non use of?
It is ironic to see recommendations requiring use of SPF due to DoS
concerns. SPF is a macro language expanded by recipients that may
combine cached DNS information with MailFrom local-parts to synthesize
>100 DNS transactions targeting any arbitrary domain unrelated to those
seen within any email message. A free >300x DDoS attack while spamming.
SPF permits the use of 10 mechanisms that then require targets to be
resolved which introduces a 10x multiplier. The record could end with
"+all", where in the end, any message would pass. Since SPF based
attacks are unlikely to target email providers, it seems few
recommending SPF consider that resolving these records containing active
content might also be a problem.
-Doug
More information about the NANOG
mailing list