spf -all

Date: 2007-12-07 22:38:00

spf -all

A recent post by taral piqued my curiosity and made me wonder just how many domains publish "-all" (hardfail) in their SPF records. To that end, I have set up spf-all.com which aims to count them.

I am currently loading domains into the database. This involves a DNS lookup for each domain name, so it's only going at an average rate of a few per second. I have several million domain names ready to be loaded, so I expect the initial load to take a few weeks. I have grabbed domain names from the following sources so far:

dmoz from Open Directory RDF Dump (~3 million unique domains)
en.wikipedia.org from Wikimedia Downloads (~800k unique domains)
Alexa from Alexa Top Sites (just the first 500 which is free!)
An old (2003?) copy of the entire list of registered domains in .com, .net, and .org (haven't counted yet)

If you can think of any other easily obtainable list of domain names, let me know!

And for what it's worth, the highest-alexa-ranked domain that publishes SPF -all is ...drumroll... blogger.com.

Comment

mskala
2007-12-07T14:40:14Z

On the front page you say: "Such domains are using SPF the way it is intended, and are safe from email forgery." Do you really want to say that? It seems to me that domains using -all would be safe from email forgery if everybody in the world implemented SPF-based message rejection, and forgers never compromised a server that was listed as "trusted", and never thought of any other way to do forgery... but those seem to me to be pretty big ifs.

ghewgill
2007-12-07T20:11:24Z

Yes, there certainly are conditions. But I intentionally used aggressive wording in the description, in the hopes that more people actually start using -all. It's a small step.

Greg Hewgill <greg@hewgill.com>