Who are the Earliest Adopters of SPF? Survey says: Spammers!

The Internet Patrol - Patrolling the Internet for You
Share the knowledge

Note: The Internet Patrol is completely free, and reader-supported. If something that you find here helps you, please consider supporting us. We also earn a small amount from ads and Amazon links:

Click for amount options
Include a message for us!:

A survey of nearly 2million pieces of email by security company CipherTrust revealed some interesting facts:

1. Only 5% of the email came from servers which had enabled either SPF or Sender I.D. authentication.
2. Of the email coming from servers with SPF or Sender I.D. enabled, more than half was spam.

Spammers are early-adopters. Who knew?

Well, only anybody who has ever observed how quickly spammers latch on to any new technology designed to ease delivery of email. It’s no secret.

CipherTrust then went on to say that this demonstrates that sender authentication such as SPF will do nothing to stop spam.

No kidding!

It was never intended to stop spam. Nobody ever said that it would stop spam.

The purpose of SPF and Sender I.D., and Domain Keys, and on and on, is to be able to demonstrate that the domain from which the email is purportedly being sent is not being spoofed. That it’s really who it says it is. SPF et al say nothing about what sort of email it is. Never has, never will.


And, we would suggest that the fact that it’s showing up in spam means, in fact, that it’s working. How handy to be able to track a spam back to its true IP address and domain of origin!

Was this article helpful? If so, please consider supporting us; the Internet Patrol has no paywall and is completely free and reader-supported.
Click for amount options
Include a message for us!:

Share the knowledge

3 thoughts on “Who are the Earliest Adopters of SPF? Survey says: Spammers!

  1. The article neglects to mention another set of early adopters: sites whose domain names have been repeatedly forged in spam.

    I handle the email abuse reports for my employer, and for the past year I’ve gotten several complaints a week. To date, not a single one has been over a message that actually came through our network or from our customers. We put up SPF records last December, but since hardly anyone checks them, it hasn’t stemmed the tide of misdirected complaints.

    Another missing piece of information is the percentage of email that actually *fails* SPF checks. So they found that 3.8% of spam passes and 2.8% of legit mail passes. That’s disheartening, but SPF is pass/fail/neutral, not just pass/fail. What if 10% of spam *fails* and only a tiny amount of legit mail does? If that’s the case, then it’s already proving useful. But without those numbers, there’s no way to tell.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.