PSA SPF

We interrupt your regularly scheduled blog series for this important public service announcement:

A number of times now, I’ve discovered that there was email being sent to me that I was  not getting. Fortunately, my ISP is also a colleague, mentor, and friend and a real expert in cybersecurity, so I asked him. And he explained it to me (and then again when I’d forgotten and it happened again; sorry Sky!).  So I’ll document it here so I can point to it in further instances. And it’s about domains and SPF, so it’s a wee bit geeky (and at the edge of my capability).  Yet it’s also important for reducing spam, and I’m  all for that. So here we go.

This started with an organization where I had been conversing with individuals.  And eventually it became clear that they had sent me a form letter, as part of a bigger mailing, and assumed I had it while I was still asking about details in said form letter. Debugging this is how I found out what happened.

Now, when an org sends you email directly, your mail system tracks the paths it takes to get to you. If it goes back to the server for the org says the mail’s from, all’s good. For certain types of mails (e.g. event-related or service-related), however, those mails are sent via a service. A good mail server should check to see if the mail the service claims is really from the org. Otherwise, you could have a lot of people sending things pretending to be from one place but … can you say ‘spam’?  Right.

So, what the org needs to do is create a really simple one-line bit of text in something called a  Sender Policy Framework (SPF) record that says “they mail on my behalf”.  E.g. the record lets the org publish a list of IP addresses or subnets that are authorized to send email on their behalf.  And, seriously, this is simple enough that  I can do it.

Yet somehow, some orgs don’t do this. Now, some mailers don’t check, but they  should! That check to the DNS entry on behalf of the org to see if there’s an SPF covering the service will help reduce spam. So my ISP checks rigorously. And then I miss mail when people haven’t done the right thing in their tech set up. When I have this type of problem, it’s pretty much one of these.

Please, please, do check that your orgs get this right if they  do use a service. That would be orgs doing mailing lists through external providers (e.g. small firms without the resources to purchase bulk mail systems). And you can ignore this if it doesn’t apply to you, but if you do have the symptoms, feel free to point people here to help them understand what to fix. I certainly will!

We now return you to your regularly scheduled blog, already in progress.