An E-Mail Marketer’s Guide to Deliverability, Part 1: SPF

I admit it. Not too long ago, I understood the concept behind SPF (define), Sender ID, and DomainKeys, as well as the importance of them. But the subtleties of each eluded me. That was before Rick Buck, director of e-media and privacy/ISP relations at e-Dialog, was kind enough to translate the tech-speak surrounding these terms into plain English even a marketer could understand.

SPF, Sender ID, and DomainKeys are relatively new technologies on the cutting edge of the fight against spam and false positives. False positives, basically legitimate email messages mistaken for spam, are one of the biggest issues facing email marketers.

Overview

The goal of all these technologies is to verify a message’s sender is who he says he is. Falsifying sender addresses is a common practice among spammers. The logic: if you make it harder for spammers to hide their identities, it’s easier to hold them accountable for the email they send. This may discourage their efforts.

Though these technologies aren’t silver bullets for stopping spam, they should help diminish false positives. They’re the first steps toward a technical solution to spam, combined with reputation, authentication, and accreditation technologies.

The three technologies are somewhat hierarchical. SPF provides the most basic level of authentication. Sender ID takes it a step further, while DomainKeys offers an additional verification level. SPF is already used, most notably by America Online, to filter spam.

SPF

SPF, once known as sender permitted form, works by looking at an incoming message’s sender address and the server sending it. If the server is authorized to send email on behalf of the domain name in the sender address, the message gets through. If not, it’s filtered as spam.

SPF relies on what’s called the “envelope address,” the sender address appearing as the “return-path” in the email header. It only looks at the domain name (the portion of the address after the “@”), not the complete address. SPF doesn’t confirm the message came from a specific user at that domain name, only that it came from that domain name’s server.

To get through SPF filters, senders must publicly identify servers authorized to send email from their domain name in their DNS (define) record. It’s not a time-consuming, difficult, or costly endeavor. If you send email from your own server, your IT folks should be able to handle it. If you use an email service provider (ESP) to send your bulk email, they should handle this for you.

You can also use SPF to decrease the amount of spam you receive. It’s simple for your IT folks to implement this, and there are lots of online resources to help (a few are listed at the end of this column).

If you use SPF, you won’t be alone. All the major ESPs use it, as do most major ISPs. Additionally, hundreds of thousands of organizations that send email have already published SPF records.

There’s an additional benefit to publishing your SPF record. You know all those bounces you receive from spam email that appear to be from your domain but aren’t? An ISP filtering with SPF technology won’t send them to you. It “knows” the message didn’t originate from your server.

By enabling SPF technology on your sent and received email, you’re doing your part to take email back from spammers.

SPF isn’t perfect. Many legitimate email marketers have already published their SPF records. So have many spammers. Those spam messages are authorized via SPF just as legitimate messages are.

There’s some controversy around SPF. As a traveler, I worry about tying my domain name to a single server. I use my own ISP to send mail when I’m home, and I use a patchwork of networks provided by hotels, clients, and my home away from home, Starbucks, to send mail when I travel. There’s no way to submit SPF records for all these locations and servers, especially the ones I haven’t yet visited.

SPF also appears to be incompatible with forwarding email, among other things. Still, I support SPF. I’m confident kinks like these will eventually be worked out.

This is just the tip of the SPF iceberg. If you want to learn more about the benefits, drawbacks, and details on implementing SPF for sends or as a filter, there are many resources. Wikipedia offers a good basic background and more details on the downsides of SPF. AOL does a good job of laying out SPF’s benefits, especially as they pertain to its white list. Pobox.com has more information and a wizard to help you publish your SPF record.

Next: Sender ID, which many view as an improvement on SPF but not yet perfect. Future columns in this series will discuss DomainKeys and some of the other technologies that tie delivery to reputation, authentication, and accreditation.

Want more email marketing information? ClickZ E-Mail Reference is an archive of all our email columns, organized by topic.