> > SPF works great as a selective whitelist in SpamAssassin. (And I don't > > mean whitelisting all SPF passes. That would be stupid. I mean > > whitelisting mail coming from domain X, but only when it passes SPF > > and demonstrates that yes, it really came from domain X.) > > > > I'd say that what you found is *not* that SPF itself is a disaster, > > but that enforcing SPF by rejecting failures is a disaster. > > +1
+1. I implement SPF records on all my hosted domains, it's trivial, but to this date I haven't found any real use for it filtering on it. I think the only reason that I put it in place to begin with is to be in compliance with yahoo (or some other provider) some years ago after they bounced some mail. I feel that if it were enforced but several of the larger email companies then it would cause everyone to implement it and then it might have value at limiting zombies, but that's about it. Since they haven't enforced it, there isn't much more that can be done. If we enforce it, it makes us look like idiots when our clients can't get email, and then we look like idiots and they turn to the larger (or should I say more popular) companies.
