A request has been made by a web developer for our domain DNS records to include SPF TXT records. I found differing opinions on this out there...
Any comments or insights you can offer will be highly appreciated. I know this is not an empirical question per se - but I would appreciate your subjective offerings nevertheless... Especially if they were to come with references I could look into such as web posts or online documents, etc.
Yes. I wouldn't call this subjective because there's a clear consensus; use SPF.
Implementation is very easy and it's a good thing for the internet as a whole.
You are likely seeing dated references. Based on the percentage of valid email my server receives from servers using SPF, the consensus is to use SPF.
I heartily recommend setting up SPF. Setup records for your MX allowing it to send email, as well as for the domain you use in e-mail addresses. For domains that don't send e-mail setup SPF to indicate that.
I find SPF records for the e-mail server more helpful and reliable in blocking Spam than those for the sender's e-mail address.
If your server supports SPF records configure them in addition to TXT records. If you change your configuration there may be a little overhead in keeping the records in sync, but many systems can configure their SPF so it automatically adjusts to MX and address changes.
You may want to review my post on Securing your Email Reputation with SPF. My first implementation of SPF was to block a spammer who was forging a domain I provide email services for. Despite relatively low SPF penetration it was very effective in shutting them down. However, we still get spam to the forged address they created. (Its a great way to verify spammers as only spammers would use that address.)
I believe penetration of SPF on the receiving side is likely greater than on the publishing side.
EDIT: If you do use SPF records, make sure that people delivering automated mailings are aware of the requirement to get their servers added. (The server should be fully vetted as automated systems are often poorly configured and may have a profile similar to a spambot. It isn't that difficult to set the server up correctly.)
Definitely setup SPF - there should be no downside (as long as it is setup properly and tested), but it will prevent other sites from masquerading as you and sending spam in your name. The reason it is good is that you are explicitly whitelisting certain servers/IPs that can send email for your domain.
I think the best proof that it is a good thing is looking at a few major email services. Just look for the 'Received-SPF' headers in the original email to see if SPF is checked. For example:
Yahoo Mail:
Received-SPF: pass (domain of example.com designates xxx.xxx.xxx.xxx as permitted sender)
Gmail:
Received-SPF: pass (google.com: domain of user@example.com designates xxx.xx.xx.xx as permitted sender) client-ip=xxx.xx.xx.xx;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of user@example.com designates xxx.xx.xx.xx as permitted sender) smtp.mail=user@example.com
Hotmail also checks SPF (although, I believe they call it Sender-ID). Overall, it is an easy addition that can do a lot of good - both for your domain and the internet as a whole.
As the other respondents (so far) I recommend implementing SPF.
Some of the other posts have mentioned that this makes it more difficult for other people to masquerade as you (but that does not mean that SPF is basis for non-repudiation). Even if the direct impact of such an event is very low, it helps to reduce back-scatter.
However another, very important reason is that it improves deliverability to recipients whose providers implement SPF.
I'd certainly be very interested to hear what the downsides to SPF are. Currently all I'm aware of are:
users must route their outgoing mail through nominated servers - although controlling your outgoing mail has obvious benefits, this can add some complications if you've got remote users - you'll need to setup SMTP authentication or a VPN
problem with some forwarding - which IME is very rare
The big problem I see with SPF is that is breaks forwarding. This is as of today only shortly mentioned in SPF's wikipedia entry. And it's also the reason I don't setup SPF on my mail server.
Consider A with address a@a.org (who's MX implements SPF) sends a mail to B with address b@b.org who setup this address to forward mails to b@reallyb.org. The MX for reallyb.org then sees A's mail originating from b.org's MX and so is allowed to throw away the message.
So if you want to continue to be able to send mails to people who use forwarding as it used to work in the decades before SPF came up, at least don't use -all.
This could be fixed if the MX for b.org used SRS or if the MX for reallyb.org whitelists mails coming in from b.org. According to my view on reality however most forwarders don't do any of these two though. And as you are in the position of A if you think about implementing SPF on your server, this is something you cannot control in general.
