SPF - should I implement?

Solution 1:

Yes. I wouldn't call this subjective because there's a clear consensus; use SPF.

Implementation is very easy and it's a good thing for the internet as a whole.

Solution 2:

You are likely seeing dated references. Based on the percentage of valid email my server receives from servers using SPF, the consensus is to use SPF.

I heartily recommend setting up SPF. Setup records for your MX allowing it to send email, as well as for the domain you use in e-mail addresses. For domains that don't send e-mail setup SPF to indicate that.

I find SPF records for the e-mail server more helpful and reliable in blocking Spam than those for the sender's e-mail address.

If your server supports SPF records configure them in addition to TXT records. If you change your configuration there may be a little overhead in keeping the records in sync, but many systems can configure their SPF so it automatically adjusts to MX and address changes.

You may want to review my post on Securing your Email Reputation with SPF. My first implementation of SPF was to block a spammer who was forging a domain I provide email services for. Despite relatively low SPF penetration it was very effective in shutting them down. However, we still get spam to the forged address they created. (Its a great way to verify spammers as only spammers would use that address.)

I believe penetration of SPF on the receiving side is likely greater than on the publishing side.

EDIT: If you do use SPF records, make sure that people delivering automated mailings are aware of the requirement to get their servers added. (The server should be fully vetted as automated systems are often poorly configured and may have a profile similar to a spambot. It isn't that difficult to set the server up correctly.)

Solution 3:

Definitely setup SPF - there should be no downside (as long as it is setup properly and tested), but it will prevent other sites from masquerading as you and sending spam in your name. The reason it is good is that you are explicitly whitelisting certain servers/IPs that can send email for your domain.

I think the best proof that it is a good thing is looking at a few major email services. Just look for the 'Received-SPF' headers in the original email to see if SPF is checked. For example:

Yahoo Mail:

Received-SPF: pass (domain of example.com designates xxx.xxx.xxx.xxx as permitted sender)

Gmail:

Received-SPF: pass (google.com: domain of [email protected] designates xxx.xx.xx.xx as permitted sender) client-ip=xxx.xx.xx.xx;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of [email protected] designates xxx.xx.xx.xx as permitted sender) [email protected]

Hotmail also checks SPF (although, I believe they call it Sender-ID). Overall, it is an easy addition that can do a lot of good - both for your domain and the internet as a whole.