SPF is good enough. True or False?

The other day I was doing a mini-consult for a marketing sender who uses one of those Marketing Clouds to send their mail, and the client's IT representative challenged my point of view: I suggested that the client needs to authenticate all mail with both DKIM and SPF. Currently, a large amount of their mail was being sent in a way where it was authenticated only with SPF -- no DKIM signature to be found. It's getting delivered fine today, but what about the future? Thus, my recommendation is that all mail sent must authenticate with DKIM and SPF. I want you to have that belt-and-suspenders, not just the belt and forget about the suspenders, even if pants aren't falling down today.

The challenge was this: Isn't SPF good enough? The mail is getting delivered. Maybe at some point in two months, six months, two years, whatever, things will change and we need to care then, but do we need to care now?

Let's boil that down to this: SPF is good enough. True or False?

Here's what I know:

  • The mail is getting delivered to Yahoo and Gmail mailboxes today.
  • It is not in compliance with the new sender requirements. Google in particular says DKIM and SPF, not DKIM or SPF. Yahoo says the same -- AND, not or.
  • One click unsubscribe adds a new wrinkle to the mix. To be compliant with RFC 8058, your mail must have a DKIM signature, and that DKIM signature must cover the list-unsubscribe headers. That means if you have no DKIM, you don't get list-unsubscribe post functionality. I didn't even catch this one myself, the first time around.

It's true that Gmail and Yahoo Mail are not rejecting this mail today. They're both likely treading lightly on the matter of compliance enforcement. They want to nudge senders in the right direction, give people time to comply, and minimize the chances that senders will yell at them (unfairly or not). The list-unsubscribe requirement deadline is now June 2024 (as far as Google is concerned), and Google warns that in April, 2024, senders are likely to see some percentage of non-compliant mail be delayed or rejected.

Could those deadlines slip further? Yes, they could. None of this is set in stone; and the people employed by both Yahoo and Google are smart, and understand that things could be happening (or not happening fast enough) that might drive them to reassess and adjust timelines when it comes to providing that negative feedback for non-compliant mail.

But do you really want to risk it? Let's say you play “wait and see” and then on April 1, or May 1, or June 15th, suddenly 1% or 5% or 50% or 100% of your mail to Gmail subscribers starts bouncing. How much delivery is lost, how much revenue is lost, until you fix it? And how are you going to feel, knowing you could have fully prevented this ahead of time?

There's really no excuse to stay ahead of this.

And we haven't even touched on other issues around why SPF alone may not be good enough. There are various other, security-related reasons that SPF or DKIM alone aren't good enough to prevent bad actors from doing silly stuff with email today. For DKIM, think of DKIM replay attacks – and for SPF, think of things like the SubdoMailing attack, which an exploit taking advantage of defunct SPF includes (you'll find a good write up on this here from Red Sift) and if you think hard about all of this, you might suspect that the evolution of email authentication is going to involve moving from AND/OR SPF and DKIM to AND, and maybe on to some future version of DMARC that requires both to pass (or even align) every time, for certain types of mail. Requirements are going to get tighter in this regard; they're not going to stagnate and they're not going to loosen up. If you don't keep up with compliance today, you'll just be further out of compliance tomorrow.

Verdict: False. SPF is not good enough. It's not a future-proof configuration. It's barely a suitable configuration for today, and relying on SPF alone, when sending any significant volume of mail, means you're likely to see deliverability issues soon, probably before the end of 2024.

I asked the Spam Resource Linkedin Community for their feedback. Do they think SPF is good enough? Come on over to the thread and read their thoughts.

Post a Comment