Email Forgery Prevention Using SPF

W3C has deployed SPF (Sender Policy Framework) to prevent email forgeries. Our mail hubs reject forged mail according to SPF records published by domain owners, and we have published SPF records indicating which servers are authorized to send email claiming to be from w3.org. See below for more information about:

How to Avoid Forgeries from Your Site

If you are concerned about email forged to appear from your site, you can publish an SPF record (or ask your system administrators or ISP to publish one on your behalf) and our email servers will automatically start to reject forgeries that claim to be from your site.

This endorsement is not without some reservations. While Jonathan de Boyne Pollard's essay on problems with SPF overstates the case in some places, the point about squatting on TXT records is a concern we share.

W3C's SPF records

The SPF record for w3.org

provides a list of servers that are authorized to send mail on behalf of w3.org.

This record ends in ~all, which means "softfail". Due to issues with SPF and mail forwarding, we intend to leave our SPF record in this state for the forseeable future, so our record is useful mainly for whitelisting. (mail with an 'SPF pass' status from w3.org is most likely legitimate, but other mail can be subject to more scrutiny, e.g. using heuristic-based filters.)

The SPF records for w3c.org and www.org

indicate that those domains are never valid senders of email, so any mail claiming to originate there should be rejected.