kasia in a nutshell

Not to mention that SPF is just plain retarded as a concept.

You know who has adopted SPF the quickest? Spammers. They love to say "hey email for get-a-big-penis.com is allowed to come from smtp.hotmail.com" or whatever, which just makes SPF totally useless. Because, you know, spammers know how to configure a DNS too.

Fluffy, wait a second...I think you misunderstand the direction in which SPF works.

In order for the spammer to send email from "get-a-big-penis.com" via Hotmail's servers, they would have to control Hotmail's DNS records. That's not likely to happen.

See, the accepting SMTP server does a reverse lookup of the sender SMTP server. Once, that's been resolved (outbound.hotmail.com), the accepting SMTP server does a txt record lookup on the same domain, and verifies that the from address in the email is allowed to send from outbound.hotmail.com. Since it won't find a record allowing outbound messages from big-penis.com, it can safely discard the message.

'least that's how I understood the tech to work...which makes alot more sense than the way you described it. But, the important thing is that ALOT of people MUST publish SPF records in THEIR DNS...and most aren't...so you can't be sure if you can delete the messages or not.

What's the reason for the larger decline then?

The larger decline is the usual up & down of the rejections.. if you see the entire graph it'll make sense.

Your arrow making skills are impressive ;)

You should see what she can do with an exclamation point!

It's a very special arrow.. all the other little arrows made fun of it, so I took it home and made it feel loved.

In the end I think we will end up with a personal list based solution to Spam en masse. ie. I send an email to someone, their address gets added to my accept list; I type an email address into a web browser, it offers to add it to my accept list (temporary or permanent). In addition every inbound email's domain record is checked against what its MX should be. If any of this fails, then a challenge-response is issued.

I understand the reluctance with this kind of system, but Spammers are much like people who attempt to undermine the security in Operating Systems. Every time someone imposes a method to prevent Spam, someone else circumvents it with hidden "literary" prose, modified headers, or another devious scheme. The only way (sadly) to absolutely guarantee the rejection of Spam is for some kind of human intervention at some point in the authentication chain - and yes, it is a pain, but unless the industry unites I don't really see many alternatives.

I have found that SPF records are pretty much useless. Here's a perfect example. I set up SPF for pbp.net. Users immediately started reporting that they were unable to send email while out & about to *many* mailing lists because the listservs checked SPF. The users (myself included) were finding that T-Mobile intercepts all outbound port 25 traffic and bounces it through their own SMTP relays. Apparantly they're not the only company that does this.
And you're 100% correct about spammers using it. A former employer turned into spammers, and they were very adamant about setting up SPF records to try to bypass spam filters. For each of the 5,000 spam domains they owned, it was a matter of a perl script to change IP information, reverse DNS, and SPF records.

SumYungDude, what you described as SPF would be utterly retarded and useless. I mean, even more than what I described. Ever consider that maybe people would be sending email from their domain using their home ISP? What, so every home ISP is now supposed to be configured to allow email to be sent with a From: of every single telecommuter? (Answer: no, it's not. that's what SMTP AUTH is for.)