Sender Policy Framework (SPF) trick of the day

Since SPF records are DNS TXT records, they can only contain up to 255 characters of information. In some situations, you might not be able to fit all your sending networks in a small, 255-character text string.

So, what do you do?

Easy! Just use SPF's "include" functionality to link multiple SPF records together. Click on the string below to see the dnsstuff.com SPF lookup for a example domain:

Processing SPF string: v=spf1 include:spf-dc1.digitalriver.com include:spf-dc2.digitalriver.com include:spf-dc3.digitalriver.com include:spf-dc7.digitalriver.com include:spf-dc5.digitalriver.com include:spf-dc6.digitalriver.com ~all.

Notice where it says "include:xxxx1.domain.com"? That's instructing the SPF resolver to also look up the SPF record for xxxx1.domain.com and include it as part of the results for domain.com.

Not only does this help you when your networks won't fit, but it can help you make changes and updates easier.
  • Adding a second domain? The second domain's record would only have to contain an "include" statement that references your primary domain. When the primary domain's SPF record is updated, the one for the new domain is also updated, automatically.
  • Have multiple facilities on different networks? Utilize the "include" functionality to link to additional facility-specific SPF entries. Then when a single facility's network changes, you only have that one SPF record to update.
If you're looking for more information about SPF, Wikipedia is a good place to start.

I'm back!

I've finally transitioned spamresource.com from its old home on my DSL connection in Minneapolis. It's now hosted on Blogger, which seems like a quick and easy platform for me to post various articles and links as I run across them.

For most of the time during the long gap between articles, spamresource was an online software store. That was fun, but I now feel that it was more important to focus the site on it's original purpose, which is to share information and news on spam-related topics.

It's easy to add this site's content to your RSS reader. Just copy the XML/RSS link from the navigation links on the right, and paste it into your RSS reader wherever you add the XML link for a new feed.

Any questions or feedback? Please contact me using the link on the right.

This is a test post.

When was it actually published? Versus when was it written.

Bill Gates, spamkiller?

"Spam's days are numbered, Gates says," according to the Miami Herald on January 24, 2004. Fellow anti-spam advocate Brian McNett is quick to point out that Gates' ideas won't work, and he's right about that. Read on for details. More >>

CAN-SPAM is here

The new U.S. anti-spam law ("CAN-SPAM") is here to stay. It's a compromise law, that really won't make anybody happy on either side of the equation. People who send mail, even non-spammers, will find that it enacts some (fairly mild) restrictions on what they can do. Anti-spam advocates will note it lacks a private right of action, and service providers are the only private entities allowed to sue.

Click here for a copy of the law. Read it through, and make yourself familiar with it.

If you send mail, opt-in or not, especially if you think you send opt-in mail but some places block/filter/reject it, keep this in mind: CAN-SPAM does not give you legal recourse to stop sites from blocking your mail. If you think an ISP has to accept your mail because you comply with CAN-SPAM, then you didn't read section 8:
SEC. 8. EFFECT ON OTHER LAWS.

(c) NO EFFECT ON POLICIES OF PROVIDERS OF INTERNET ACCESS SERVICE-
Nothing in this Act shall be construed to have any effect on the lawfulness or unlawfulness, under any other provision of law, of the adoption, implementation, or enforcement by a provider of Internet access service of a policy of declining to transmit, route, relay, handle, or store certain types of electronic mail messages.


In other words, just because your mail is legal doesn't mean ISPs are forced to accept it. I interpret section 8(c) generally to mean that ISPs are allowed to set policies with regard to what mail they'll accept or transmit. If you're a mailer, that means ISPs can block you if they so desire, based on whatever policy they have in place.

If you're an ISP and are concerned about being able to terminate a spamming client even though their mail complies with CAN-SPAM, this is easy to address. Make sure you have a contract that forbids bulk unsolicited mailings. Don't use the word "spam" or you get stuck in an argument about what spam is or isn't. Make it clear that if you have proof that they're sending mail to recipients when they don't have direct, verifiable consent to mail those recipients, that you are able to break the contract. This would be your policy of declining to transmit certain types of electronic mail messages from your network.

I'm not a lawyer. If you think the law is going to affect you, go get a lawyer and have them review the law with you. Beware the marketing consultants spreading FUD (Fear, Uncertainty, Doubt) about the new law. A lot of it is questionable advice. Keep in mind that if you're a mailer already doing things right, the impact on you is going to be minimal.

Double Opt-in/Confirmed Opt-in

Different names for the same practice.

Whether you call it closed-loop opt-in, confirmed opt-in, verified opt-in or double opt-in, you're generally referring to an email address verification process used to validate an email address before adding it to an electronic mailing list. Double opt-in is something of a misnomer, because it's not a second opt-in; it's address verification. However, what you call it is less important than whether or not you employ it. (For more about the terminology argument, head on over to Pan Am Internet's excellent page on the issue.)

Why should you do it?

You do it to prevent forgeries. The process nearly eliminates spam complaints, and any you do receive can usually be easily disproved.

It can also ensure better deliverability. If you send email, you know how many spam filters (both good and bad) there are out there. They will filter or block even confirmed opt-in email. Why they do is a whole other issue, but if you can demonstrate that you correctly utilize double opt-in, you can get whitelisted by various spam filtering organizations and companies.

How does it work?

Generally, it starts with a web form. A potential recipient will sign up for emails by entering their email address into your form and clicking the submit button. What happens next is they are sent a confirmation request email. In that email, there is a unique coded URL that the recipient clicks on to verify their identity. If the recipient does NOT click on the URL, nothing happens. They are not added to your list, and you don't email them again.

A mailer does it to prevent forgeries. The process nearly eliminates spam complaints, and any you do receive can usually be easily disproved.

If you decide to implement this process on your own, make sure you keep records of all the opt-in requests and completions. IP addresses, opt-in codes, etc. Also, make sure your confirmation method can't be spoofed. Any validation URLs should have a coded URL, not a plain URL that contains the person's email address. For an example of how the process works, click here for a demo I've created.

Links to info and commentary on double opt-in/confirmed opt-in.

From iBizBasics.com - March 6, 2001 by Mark Brownlow. Overall, a good article, though it contains a technical error. Mark claims that double opt-in can't prevent forged subscriptions, which is incorrect. It's only a poor implementation of the process which would have this problem.

From EzineBlast.com's guide to list management and spam issues, here's a quick and simple definition of what double opt-in/closed-loop is and why you should do it.

From Network World - February 19, 2001. Mark Gibbs explains what it is and why you should do it. Why is it important to prevent forgeries? He explains.

Lyris provides software and services to companies who both send and receive email. They point out that double opt-in is the way to go if you don't want to get blocked by the various anti-spam groups.

Marketing consultant Gary North explains that double opt-in is "an internet rule against spamming." I agree; it definitely helps.

Cluelessmailers.org has a very compelling reason why double opt-in/confirmed opt-in is a good practice: It'll keep you out of jail. While phrased whimsically, there's some truth to that. With all the US state anti-spam laws in place, are you sure you're in compliance with all of them? Most require a prior business relationship as a bare minimum to allow you to send someone an advertisement via electronic mail. Is a business relationship established when somebody else forges that recipient's address into your form? That's not clearly defined, and I wouldn't want to bet on it.