SPF Validation The email spoof-busting technology that sounds like sunscreen

I got a bunch of spam from myself last week — emails that looked exactly like they were from me as well as to me — and called my web hosting service, A2 Hosting, to make sure that spammers hadn’t actually hacked my account and started using my server to send that crap out. But it was more likely that it was just email spoofing: the ultra-scummy practice of making spam email look like it’s from you. As if spam wasn’t already despicable enough, spoofing has become really common in the last couple years. You get an email that looks like it’s from a friend, or you hear from a friend who says “you” sent them spam. That’s spam spoofing. Disgusting!

Talking to A2, I learned that there’s actually a standard security feature to mostly prevent this problem, “SPF validation.” Get it? SPF for “spoof”! Witty. And for “Sender Policy Framework”!

SPF is:

an email validation system designed to prevent email spam by detecting email spoofing, a common vulnerability, by verifying sender IP addresses. SPF allows administrators to specify which hosts are allowed to send mail from a given domain by creating a specific SPF record (or TXT record) in the Domain Name System (DNS). Mail exchangers use the DNS to check that mail from a given domain is being sent by a host sanctioned by that domain’s administrators.

SPF authentication should probably be enabled by default but often isn’t, especially on older servers that were configured before this became a common spam problem. Spammers count on this! Just like hackers count on people who haven’t updated their WordPress blog, or PC users who haven’t applied their Windows updates.

Basically an SPF “record” tells an email service who can and cannot seem to be using your email address. You’d think it’s a no brainer that no one should be able to “seem to be using your email address” except that, in the days before this was a problem, it was pretty much exclusively a feature (sometimes people want to use email server A to send mail that looks like it’s from another domain, their own; for instance, people commonly use Gmail for its features, but want the email to look like it’s coming from somewhere else, like their own vanity domain).

Most spammer use junk accounts from email services like Yahoo or Gmail, exploiting this “feature” that most people don’t even know about and aren’t using and isn’t turned off. Shitty, eh?

And how do you enable this marvellous SPF validation stuff to prevent le spam?

It was easy for me: I have a professional, industrial strength web hosting account with easy access to every conceivable setting and switch. I just found the switch and flipped it: et voila, SPF protection! Not even close, it turns out. I continued to get spoofed spam, investigated more, and discovered a problem. In fact, my web host’s default SPF configuration was permissive and rather self-defeating: turning it on was kind of like turning on a lamp with no lightbulb in it. It was “enabled” but actually set to allow spoofing. *eyeroll* So, I fixed that — without one damn useful bit of tech support from my provider on the topic — and now, finally, tentatively, it seems I am finally no longer spoofable. But it took an hour of anxious SPF record syntax checking, validation, expert help, etc. EW.

And a lot of people have no access to settings like that, because they don’t have their own hosting, or minimal control even if they do. I just don’t know how it works for a lot of email accounts. But whoever hosts your email … contact ‘em. Just be advised that even many technicians and support folk are pretty clueless about SPF.


P.S. It is absolutely incredible and horrible that any ordinary person should have to think about anything like this just in order to be a modern citizen and use email without turning prematurely gray. Welcome to modern living.