Interesting thread. Enough so that it has drawn me back out of lurking
mode. It's all fine and well to stomp your foot and say that people
should boldly publish -all. The problem is that there are some pretty
interesting "checker" implementations (I was going to say screwy) that
a lot of (larger) mailers are still trying to sort through.
One example I've seen is a domain that rejects mail if the Mail From
(RFC2821) and the From (RFC2822) don't match. Granted that is a fringe
case that goes beyond SPF, but from an operational standpoint
recipient (MTA) implementations do show a wide variety of
outcomes....well beyond what reasonable people might expect from a
standard. This is especially true when one throws in applying PRA to
SPF1 records.
As others have pointed out, relaying is still an issue. Do you break
your business (or personal) communications today (using -all) in the
hopes that relayers get their act together or do you go with ~all in
the hopes that the pain of people treating that negatively is less
than the pain of broken relays?
One trend that bothers me is that I am seeing more ISPs utilizing rate
limiting without really thinking through the consequences of their
decisions. In fact, I was dealing with one large ISP that implemented
rate filters (by IP) and don't even log the connections (events) they
are rejecting! So it took a little digging to help them figure out why
they didn't see any connections in their logs.
In closing, SPF is a tool. I'm kind of amazed at some of the comments
on this list. Would you get upset at a screwdriver because you need
other tools to build a house? SPF is an imperfect tool in an
imperfect world. Bad people with bad intent will find other ways of
abusing the system even if SPF itself worked perfectly. I'd rather get
a tool that solves (even if for only a while) 80% of the problem than
to see endless efforts to create the perfect tool.
As usual, just my 2 cents.
Mike