There is a very neat open standard that is helping solve the ubiquitous SPAM issue. If you have an email account you must know what SPAM is. SPF stands for “Sender Policy Framework” and is an extension to the SMTP standard. We need to understand SMTP before we delve into SPF.Most Internet technologies are based on the concept of a client/server relationship. Sending email is no different. When you browse on the Internet you have a browser (client) and the web-server (server) that serves you the page. With email you usually have an email client that is configured to talk to an SMTP server for sending email. For receiving email your client can talk to a POP3 server or an IMAP server. When you compose an email there must be at least one recipient. Let’s say you have an account with Verizon (your ISP) and you are sending email to a Gmail recipient. You write your email and click “send” and the email is sent to Verizon’s SMTP server, the server that handles all outgoing email. The SMTP server then looks at the recipient and sees that the domain (after the @ ) is intended for someone over at Gmail. It then makes a DNS request to find the IP associated with it’s counterpart over at GMAIL, which is Gmail’s SMTP server. Verizon SMTP server sends the email off to Gmail’s SMTP server. Gmail’s SMTP server will then see that the recipient has a Gmail account and it will drop the email into that person’s mailbox. Now, if you open up an email and look at the headers, there will be a series of “received” headers that will show you the path that the email took. This path looks like a stack, with the first one being the last destination. The “Received” header at the top is actually the last SMTP server that received the email and the bottom “received” header is the first SMTP server that received the email. Every SMTP server that receives that email will stamp a received header onto the email with the IP address of the client or server they received the email from. The received header information becomes essential for SPF, as you’ll see.

The difficult part with this approach is that the FROM address can be spoofed. So my address rongoodbin@veizon.net can be substituted with bill@microsoft.com easily. Nearly all SPAM is sent by fake people who hijack peoples’ real email address’. Spammers like to use addresses with domains that have credence on the Internet. You are more likely to read a piece of spam sent from john.goldstone@ibm.com than some other email like girly1234@aol.com. This type of thievery undermines the credibility of email, which is an unfortunate consequence, and like other Internet technologies security, it wasn’t even a thought at design time.

SPF was created to help remedy this problem and try to help restore the confidence in email integrity. We need some way to authenticate the sender’s email address and not just blindly accept what was supplied as the true sender. Here’s how it works. We talked earlier about the email hopping as it goes from one server to the next en-route to it’s destination. As it travels, the server will stamp the email with the IP address of where it came from. Say there is an email sent to someuser@gmail.com from someone claiming to be rongoodbin@verizon.net. Now, if Gmail is configured to operate with SPF, Gmail will then make a DNS request for the SPF record that verizon.net has configured and stored. This SPF record from Verizon tells Gmail what the IP range this email should be coming from. Gmail then checks the IP address from the received header on the email. Remember, an IP address can’t be spoofed, as we saw with my
question on security now post. If the IP address checks out ok – meaning that it’s in the range allowed by the SPF record, then we know this email was actually sent by Verizon’s SMTP server and not someone from a different SMTP server out in Russia sending mail on behalf of a verizon.net user. Now this valid email will be forwarded to the recipient’s mailbox. If it turns out to be invalid, then the email is discarded. SPF, along with other technologies, is definitely a step in the right direction in the constant fight against SPAM.