Daniel.Blaser@lkw.li wrote:
I'm just trying to get a general feeling again about what the community thinks about SPF.
Here's my view:
Use DomainKeys instead of SPF. DomainKeys serves the same purpose, but doesn't share the fundamental brokenness of SPF.
SPF should be avoided because it's fundamentally broken: If you publish an SPF record with a "-all" directive (if you don't have that, SPF doesn't allow to reject forgeries, which makes SPF pretty pointless IMO) and you send mail to an email account on my mailserver via a forwarder (RFC1123 requires internet hosts to support mail forwarding, and it's a relatively widely used feature) your mail will bounce if my mailserver checks SPF unless I whitelist every host which forwards mail for one of my users. But that isn't feasible because I can't expect my users to understand the brokenness of SPF and tell me about each forwarder someone is using.
Greetings, Norbert.