SPF_Fail score too low?

[Matt Kettler]

Kevin Miller wrote:
> Matt Kettler wrote:
>  
>> I myself would recomend using hardfail, but I'd test things out
>> starting at neutral and work your way up after you've proven out that
>> it really works. 
> 
> You and res both bring up some interesting points.  I hardfail, but my
> system is pretty humble - I an count on one hand every machine that
> should be allowed to send mail from my domain. 

I'm a small shop too. However, my HR department uses several resume services
that forge our address as the return path when sending them resumees. While less
important, they also use a e-card service to send birthday cards to employees
that does the same thing. All of these are "major name" companies you've
probably seen at least 50 TV ads for, not small-shop services.

And of course the cards we could do without, but the resume services are
essentially ones my business unit would fold without, and at that point I'd not
have a job anymore.

It's gotchas like that which make me suggest starting off at neutral. Even
though you can reliably know what machines SHOULD be allowed to send mail from
your domain, you might have servers that DO send mail from your domain even
though they should not that provide critical business services.