Marc Perkel wrote: > I'm not hearing from people in this forum who are saying it works. > Even those who are SPF evangelists can't point to any significant > results in either blocking spam or passing ham. >
Well it's no magic bullet, but nothing is. I use SPF to try and make my domain less a target for spammers to forge. I got hit with a massive backscatter flood last week that killed my service and I changed my SPF records to "hardfail" and had to notify my (few) clients to let them know that they were now required to use my server for outgoing mail (auth on port 587). Only time will tell if helps. But I immediately saw the effect in the bounce messages, domains like gmail were aware of the hardfail on their spf check. One of the problems is that in SA, an SPF_FAIL (hard) doesn't score much above a SPF_SOFTFAIL but in my view it should. If an admin has made the effort to setup a hardfail record, it should be trusted. SPF_PASS shouldn't be trusted as far as spam processing, as we all know, as spammers can setup valid SPF records. But it does help against spambot's, doesn't it? It's hard to setup valid SPF records when you're sending spam from a million infected machines. -lee
