The way that Sender ID, SPF, and their ilk work is simple, they add to DNS information about what IPs email from that domain might come from. If you forge your header it does you no good unless you come from the right IP address. Forging your IP address (or the DNS record) is, of course, substantially harder than forging the header on an email.

So their, All the spammer has to do line is trivially wrong.

Now MX Logic really did the study that is referred to. But that study shows something different than the Inquirer's piece of garbage claims that it does. I think that it also shows something different than MX Logic thinks that it does, but that is more debatable.

The study is based on a sample of 400,000 emails that MX Logic's spam filter classified as spam. Of those emails, 16% had published SPF records. Their claim is that "spammers" are adopting SPF in a big way.

Now there are some major methodological problems that they don't clarify. The first one is that I don't know whether or not they were saying that the domain has an SPF record, or whether it passed an SPF check. Consider the problem of forged Yahoo! addresses to see why this would affect numbers in a big way. Furthermore for this to be meaningful, you want to focus on passed SPF in strict mode. A lot of people use SPF right now, but have it in a transitional mode where they say, "Our email should come from these IPs, but please don't throw it away if it doesn't." A month or two after you do this and see that it works, you're supposed to switch to strict mode where people actually drop your email if it doesn't match the SPF record. Passing SPF until you're in strict mode is no biggie.

Given that they have a vested interest against other spam solutions, I'm not going to assume that they actually made either judgement call like I would want. For one thing, it would have made their numbers a lot smaller!

But methodological issues aside, their fundamental point has truth to it. I believe that "spam" probably has good uptake of SPF records. The reason that I put the quotes on is that they are defining spam as, Failed our filter. That pretty much means that something looks like marketing email. Lots of fairly legitimate marketing email is out there, things like confirmation messages from Amazon, catalogs from L.L. Bean and the like. While it makes good publicity for MX Logic to call it spam, it may or may not be. The real test, of course, is whether the recipient would have considered it spam. And this key question is not answered.

These companies have a big problem - they don't think of themselves as spammers but they tend to fail spam filters. They want to get whitelisted. Generally speaking, the ISPs would like to whitelist them as well - recipients generally dislike false positives more than false negatives when it comes to spam filtering. But the problem is that if, for instance, it was known that anything labelled Amazon gets through at Hotmail, then every spammer would spam Hotmail from "Amazon" emails.

SPF solves this problem with whitelisting. (SPF does more, of course.) SPF makes it easier to hold domains accountable for what they send. Which makes it possible to identify people as bad or good. So if you're a company that sends what you think is legitimate marketing email, of course you're going to want to use SPF. And of course MX Logic is going to flag your emails as spam. Hence you're now "evil spammers" for their rhetorical point.

Disclaimer: I work for [link|http://www.rent.com|a company] that is in this position. (Our emails are lists of apartments for people who've signed up to search for apartments.)

Cheers,
Ben