Peter N. M. Hansteen asks the question, "Does Your Email Provider Know What A "Joejob" Is?" in his blog and provides some data and discussion. He provides anecdotal evidence which seems to indicate that Google and possibly other mail service providers are either quite ignorant of history when it comes to email and spam, or are applying unsavory tactics to capture market dominance.
[Ed Note: I had to look up "joe job" to find out what it is. According to wikipedia:
A joe job is a spamming technique that sends out unsolicited e-mails using spoofed sender data. Early joe jobs aimed at tarnishing the reputation of the apparent sender or inducing the recipients to take action against them (see also e-mail spoofing), but they are now typically used by commercial spammers to conceal the true origin of their messages.
]
(Score: 3, Interesting) by TheRaven on Monday April 25 2016, @08:37AM
I have set up SPF, DKIM and DMARC records. I think that they make very little difference. For support of this proposition, look at the scores for DKIM in SpamAssassin.
I'm not sure about the more recent things, but someone did a study a few years after SPF was introduced and found that over 90% of domains with valid SPF records were owned by spammers. It's easy to register a new domain and add SPF records.
That's fine, because SPF was never intended to say 'this mail is not spam', it was intended to say 'all emails that come from the wrong server are spam and if messages from this domain are spam then it's safe to bounce them back to this server'. In spite of that, the last time I was on the receiving end of a Joe Job it was from a domain that had SPF records set up correctly and the server responsible for bouncing all of the spam at me as GMail.
sudo mod me up
(Score: 0) by Anonymous Coward on Monday April 25 2016, @11:59AM
> 'this mail is not spam', it was intended to say 'all emails that come from the wrong server are spam and if messages from this domain are spam then it's safe to bounce them back to this server'.
No that is not what SPF is intended to do. For one thing, who bounces spam? That goes into spam folders or is null routed. All SPF is intended to do is say whether or not the sending host is authorized to deliver the message or not. Its up to the receiving host to decide what to do with that information.
> In spite of that, the last time I was on the receiving end of a Joe Job it was from a domain that had SPF records set up correctly and the server responsible for bouncing all of the spam at me as GMail.
It doesn't matter if the spammer's domain had an SPF record, what matters is if your domain had a restrictive SPF record.
Even then it is possible to set up SPF in such a way as to permit anyone to impersonate your domain. I've seen lots of SPF guides that recommend ~all or even +all at the end of the SPF record.