>  From the explanations there, and articles in other places, I quickly 
 > decided it's inherently broken.

One has to be aware of its strengths and weaknesses before implementing it,
but the fact is that important and influential domains such as hotmail
and google are adopting it. I had to start publishing SPF records on our
DNS server when most (legitimate) mail from our domain was being flagged
as spam by hotmail, because much of the spam received by them seemed to
be coming from our domain, and hotmail had classified our domain as a
spam mailer.  Publishing SPF records, together with disabling forwarding
(as I explain below) was a better and more realistic alternative than
asking our users to stop communicating with hotmail addresses.

This brings one of the main criticisms against SPF, that it breaks
forwarding.  That's Ok, I already stopped forwarding on our system, most
users were forwarding spam anyway, and as consequence our domain was being
flagged as a spam mailer. Users that really need to forward email can use
the remailing mechanism instead, making sure that all mail is filtered for
spam _before_ being remailed.

That alleviates the problem of our domain getting a bad reputation for
forwarding spam, but does not solve the fact that our anti-spam filters
are at the verge of a DoS because of the amount of spam we are receiving.
Just filtering spam is not enough, spam needs to be stopped if possible
at the beginning of the SMTP session. That is why we need to implement 
SPF checking to. Of course SPF is not the final solution, but it may help
to alleviate the problem.


Miguel A. Lerma