I applaud your daring. Please keep us posted on the success
of your experiment.
So far it's working like a dream! I've been enjoying the view
of spammers getting bounced by SPF in my 'sendmail' log window
for two days now. I'm just about ready to stop monitoring the
log. Having no problems with my normal correspondents getting
through. The [+~?]all --> -all idea came from the three spams I
got from spammers spoofing domains that publish ?all at the end
of their SPF record, like Earthlink, AOL and (can you believe
it?) "seznam.cz". It then occurred to me that I don't want
e-mail from domains that publish a record like "v=spf1 +all".
"v=spf1 -all" is much more like it!
It should be noted that I am something of a special case. I run
my own MTA for one user (did this originally to avoid an
aggravating total-false-positive problem I had when my web-host
provider got themselves BLs by SpamCop). Most of my
correpsondents are at large corporations that run MTAs which
easily fit the default rule. I sell a small number of things
for larger sums, rather than lots of things for tiny sums, so I
don't have to have wide-open e-mail permissibility. I only have
about 20 correpsondents with accounts at Earthlink and the like,
and actually most of them fit the default rule. I've run
a modified 'spfquery' that has all my changes against the headers
from past e-mails to confirm this. Have about five full-address
whitelist exceptions in my 'access.db'.
Also, as I've said more than a few times here:
IT IS ONLY E-MAIL!
Who cares if someone gets bounce once in awhile? They get a
nice message and an link to the explanation page. They can
*call* me on the *telephone*.
The problem has been that it's much too easy for people you don't
know to send e-mail to you. E-mail is extremely valuable for
communication with people one knows. SPF raises the bar
somewhat for people one doesn't know--but not much really.