Tuesday, February 27, 2007

Yahoo Ditches SPF?

This blows my mind. Yahoo has no Sender Policy Framework DNS record. I believe that they did have it for awhile (someone correct me if I'm wrong). This means that people can once again spoof Yahoo e-mail addresses when sending spam and fraudulent e-mails.

Here's how SPF is defined on Wikipedia:

In computing, Sender Policy Framework (SPF) is an extension to the Simple Mail Transfer Protocol (SMTP). SPF allows software to identify and reject forged addresses in the SMTP MAIL FROM (Return-Path), a typical nuisance in e-mail spam.

SPF is an admittedly imperfect technology, but it's simple to implement and can drastically cut down on spam and fraudulent e-mails. Of the major e-mail providers, Microsoft; Google; AOL; and Yahoo, only Yahoo doesn't have a SPF record.

So why would Yahoo ignore this? Yahoo is pushing for a different solution to the problem of forged e-mails called DomainKeys. Here's the definition on Wikipedia:

DomainKeys is an e-mail authentication system (developed at Yahoo!) designed to verify the DNS domain of an E-mail sender and the message integrity. The DomainKeys specification has adopted aspects of Identified Internet Mail to create an enhanced protocol called DomainKeys Identified Mail (DKIM).

Yahoo's scheme also has flaws, but could also work well if widely deployed, although few sites currently use it. Now here's the rub: the two schemes are not mutually exclusive. That is, you could implement both SPF and DomainKeys with no problem. So why hasn't Yahoo implemented SPF?

Well, their own mail servers will reject mail pretending to be from yahoo.com but originating from another location. So their users are protected from the spoofing of yahoo.com e-mail addresses. Yahoo hopes other people are bothered by spoofed yahoo.com e-mails in order to force people to adopt Yahoo's DomainKeys technology.

This is a dirty trick. DomainKeys is a good idea, but it is more difficult to implement and adds a large burden to mail servers for both incoming and outgoing mail. SPF is light weight and easy to implement. And more importantly, they can coexist.

So what's the deal, Yahoo? Why not enable DomainKeys and SPF on your domain?

For more information on Sender Policy Framework, visit the OpenSPF site. And if you manage a domain, be sure to use the wizard to help you determine what your SPF record should be and how to add it to your domain.


Dave Cardwell said...

I agree with you - that's ridiculous of Yahoo. Adding SPF and Sender ID to a domain that sends out so many e-mails would be ideal and it's a shame that they're letting politics get in the way.

I'd love to see mechanisms like these more widely adopted. I recently wrote a short guide describing how to set up SPF & Sender ID with 123-reg (although the same applies to most domain registrars) - it's so trivial there's really no excuse for getting it implemented on your domains.

HiltonT said...

What frustrates me with Yahoo, aside from their petty "our DomainKeys is better than SPF, so we won't support it" is that they are actively breaking SPF functionality with their Yahoo! Groups servers that resend email I post to a list with me as the sender, instead of changing the sender to the Group and the Reply-To as me.

THIS is frustrating. This is stupid. This is something that Yahoo! needs to be taken to task over.

Patrick Walsh said...


That's nuts! So if you have SPF checks enabled on your mail server then you won't receive some percentage of e-mail sent to Yahoo Groups? And if your domain has SPF then other people won't get your e-mails? That's outrageous.