SPF is good but not perfect at flagging spam.

How effective is sender authentication in contributing to the fight against spam? A recent analysis of Microsoft’s email volumes revealed some interesting findings on the subject.

The analysis conducted by Terry Zink studied the impact of two sender authentication technologies, DKIM and SPF, on his company’s email flows.

DKIM, or DomainKeys Identified Mail, allows the sender of an email message to take responsibility for it while it’s in transit. It’s a way to validate a domain name identity associated with a message through cryptographic authentication.

While DKIM can be a way to block spam sent from hijacked domains, it’s less effective against spammers who create their own domains and spew junk from them. However, when used with some form of reputation analysis, it can contribute to cutting down spam traffic from those sites, too. The reasoning being that if a domain sent “good” mail to you in the past, it will continue to do so in the future.

SPF, or Sender Policy Framework, was designed to blunt another tactic used by spammers: address spoofing. It allows senders to specify which hosts are permitted to send their emails. It does that by creating an SPF record in the DNS, or Domain Name System. When a message arrives at its destination, the recipient system can check where it was sent from to the SPF record in the DNS. If it was sent from a host specified in the SPF record, the address can be assumed to belong to the originator of the message. If it’s sent from a host not in the SPF record, then it’s likely the message is spoofing its origin and can be trashed as spam.

One of the problems with SPF is that it can create more problems than it solves. A case in point: a recent attempt by Intersessions, a Web site hosting services provider, to implement the technology.

After implementing SPF enforcement, the company had to turn it off after three days. According to the owner of the company, Jeff Koch, here are some of the reasons for abandoning SPF:

• Domain owners and their employees regularly send email from servers that violate their own SPF.
• Customers were unable to receive email from important contacts.
• Customers didn’t understand why Intersessions was blocking important email.
• Customers couldn’t explain SPF to their business contacts, who would need to inform their IT departments to correct their SPF records.

“Our assessment is that SPF is a good idea but pretty much unworkable for an ISP/host without a major education program which we neither have the time or money to do,” Koch wrote recently. “Since we like our customers and they pay the bills it is now a dead issue.”

In his analysis of Microsoft’s email over a 45 day period, Zink estimated that 14 percent of the messages contained DKIM signatures, while 38 percent were validated with SPF checks.

Admittedly, not all the messages identified as non-spam by the sender authentication technologies were pristine, but that’s to be expected, Zink contended. “I don’t know of anyone worth their salt in the anti-spam world that would assume that a message authenticated using either of those two technologies must therefore be valid,” he said.

Nevertheless, as a first pass through email, the technologies did well. Only eight percent of the messages with DKIM signatures were later flagged by content filters as spam. The success rate for SPF was good, too–only 10 percent of the messages passing SPF muster were later canned by the email system’s spam filters.

“So,” Zink concluded, “the probability that an authenticated technology is high, but it is no guarantee.”

A more detailed analysis by Zink of the SPF results also proved intriguing.

That analysis looked at the various ways an SPF record can be evaluated and how it may influence the likelihood of a message being tagged by content filters after being classified as non-spam. For example, evaluations such as “neutral”–meaning no host was specified in the SPF record; “hard fail”–meaning the message came from a host not designated as an appropriate sender; and “none”–meaning a domain does not have an SPF record–don’t seem to have any influence on whether or not a message is subsequently marked as spam.

“This can be interpreted in two ways,” Zink wrote. “Either (1) there are lots of people out there who aren’t spamming despite doing no authentication, or (2) authentication hasn’t really caught on yet the way we in the email industry would like.”