I have SPF verification enabled on my mail server. While SPF is no panacea for the problem of spam, it is quite effective at ensuring spammers do not forge the sending address to impersonate someone else, and cause some poor innocent soul to receive in a boomerang effect the torrent of complaints hurled at them.
Unfortunately far too many lame organizations (cough, Google) qualify their SPF record using a too permissive ?all or ~all clause, which means they have servers other than those listed, and thus their SPF record is useless for filtering purposes.
In the last month, I noticed the opposite problem: I did not receive emails from Eurostar and BookMooch because their SPF records did not list the mail servers they actually use. If they are not clueful enough to manage a simple list of IP addresses, or have basic change management discipline, they should do us all a favor and ditch the SPF record they clearly are incapable of maintaining.
No related posts.
That happened to me once with a colocation facility, the type of organization that should know better. What happened to them is becoming quite common. Someone on the business side of the fence decides to start using SalesForce to send out important pricing notifications, and fails to ask anyone on the technical side if there is anything that needs to be done. Next thing you know, the company is sending email using their own reply/from addresses, but from salesforce.com servers, not listed in their SPF record.
Maybe SalesForce should automatically test the SPF record before sending mail for a client…
– Frank