Tony Finch wrote:
I think the best advice at the moment is to do both of these things. SPF
is probably a reasonable SpamAssassin test, but it isn't accurate enough
to be the sole reason for rejecting a message.
I do publish -all, because the damage that is done by fake messages
pretending to come from our domain is much larger than the potential
danger of being rejected because of forwarding. I therefore expect other
domains to reject based on that policy. To quote Scott Kitterman:
(3) Originating domains MUST publish -all policies only after the understand
the potential consequences and believe that the risk of some messages is
worth the benifits associated with the policy (that would be me by the way).
SPF verifiers SHOULD reject messages that fail a -all test
As we expect others to reject on -all, the same is performed at our mail
boundary. The largest problems we see nowadays are not unforeseen
rejections, but plain IP blocks (verizon.net for example).