A possible issue with SPF

This problem may already have been addressed, and I’ve no doubt that other people have also given it thought – but I’ve not been able to find any information pertaining to it, so if it has the answer hasn’t been widely disseminated. However I think there is an issue with how SPF relates to non-mail servers and non-existent sub-domains. First a bit of background though – the purpose of SPF is to prevent sender address forgery and correctly configured it does achieve this for domains and subdomains both for those you intend to send e-mail from and those you don’t. To prevent abuse of domains, and presumably sub-domains that you don’t send e-mail from the SPF FAQ advises that you: “Publish null SPF records for your domains that don’t send mail” http://www.openspf.org/FAQ/Common_mistakes#all-domains They acknowledge that there is a problem with people spoofing non-email sending domains, however the FAQ doesn’t mention… Continue reading