Michael Scheidell wrote: > > (yes, I know, SPF is brokenĀ) and spammers can sign their spam with dkim, > and spammers can run their own domains and put in valid spf records. > > It's not broken, just mislabeled, and thus people try to use it for things it's not designed for. SPF isn't a general-purpose anti-spam tool, despite what the website may claim. It is a domain forgery detection tool, nothing more. However, it does that much fairly well.
Unfortunately, people often think it's a "black and white" tool, where passing SPF is a whitelist. That's a mistake. SPF can't be used for whitelisting unless you also trust the domain operator. Without additional trust of the sending domain, SPF is only useful in detecting fail's as spam. (this is exactly how SA implements it, note that SPF_PASS is not worth any significant score). Of course, if it's your own domain.. well, SPF is really very useful. Publish a SPF record, and use a SPF milter to reject all mail that fails SPF. This will filter your forgeries, as well as forgeries from other domains that use SPF. If you don't trust yourself to make a good SPF record, put it in a DNS view of your domain that only your SA box can see, and don't export that record to the rest of the world.
