In my opinion, "-all" is good only when it is the *only* entry in the
SPF record, ie. SPF record indicates that the domain does not send mail
*at all*. In all other cases, I think that even if original SPF record
specifies "-all", the receiving server should override this and
interpret it as "?all".
I tend to disagree. If you allow every IP to send mail on your behalf,
then why even bother putting an SPF record. For me, only -all makes
sense, all others are just as meaningful as having no SPF records at
all.
What you write would be correct if SPF was the only spam filtering
mechanism. But it is only one of the many spam filtering mechanisms,
along with DKIM, content filtering, IP reputation, etc. Each of these
mechanisms have a positive or negative effect on the final result: mark /
do not mark this email as spam.
For SPF, the "all" keyword is only reached if processing the previous
policy rules did not result in a positive answer, which means "interpret
this a sign that the email is likely not spam, but use the other filtering
mechanisms before taking a decision" (it's a "+1"). At that point:
"?all" means "do not interpret this as a sign that the email is likely
spam, please use the other filtering mechanism to take a decision instead"
(it's a "+0"),
"~all" means "interpret this a sign that the email is likely spam, but use
the other filtering mechanisms before taking a decision" (it's a "-1"),
"-all" means "interpret this a sign that the email is certainly spam, do
not use any other filtering mechanisms to take a decision" (it's a
"-infinity").
As I and others said, given in particular the case of forwards and mailing
lists, "-all" is seldom a good idea, and certainly not a good idea for a
small personal server.
Gregory
_______________________________________________
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
