On Mon, 2 May 2005, Andrew Gutkowski wrote:
I work for a college. To our institution, a legitimate email is one
that was requested by the user.
I'm sure your user did not ask for mail to be sent to them from a faked
email address.
You may choose not to use SPF because it blocks "user-consented forgeries"
that your users wish to receive. But it's clearly not the long-term
solution to the problem of forgery that we continue to allow any system to
send mail as anyone just because "it's never been prevented before."