The wizard doesn’t quite figure things out right for us (guesses that the inbound MXs are the same as the outgoing mail servers, tries to add an include for dreamhost.com even though we don’t currently publish SPF records), and doesn’t account for stuff like:
- Announcement lists (though generally, the envelope-sender is generally an address within dreamhost.com, not your domain, so this wouldn’t likely cause many problems)
- Discussion lists
- Mail sent from the user machines with an envelope-sender of your domain (mail sent from Pine / mutt, mail sent from properly configured scripts on your site, etc.)
- Mail sent through your ISP’s mail server (if applicable).
- Mail sent from any of your users (if any) through outside SMTP servers.
- Configuration changes on our end.
I’m sure there are cases I’m forgetting. As I said before, the safest option (though one which would let other DH customers more easily spoof your domain if they wanted to) would be to use the simple record:
“v=spf1 ptr:dreamhost.com -all” (adding entries as necessary for any outside servers you or your users might be sending mail “from”).
There are also possible issues if you’re doing any email forwarding.
See http://spf.pobox.com/faq.html for information on that.
I haven’t messed with it much yet, so I’d also have to do some tests to make sure our DNS generation stuff doesn’t mess up the TXT records, and to make sure that BIND accepts the records properly.
Well just the possibility that problems will come up in the future when you (or we) make a configuration change that changes things around without updating the SPF records.
Because many of our customers have setups that would cause some or all of the problems mentioned above. SPF is good because it gives users and providers the flexibility to configure things in a number of different ways.
If / when SPF becomes more popular, we are very likely to provide a mechanism for customers to publish SPF records, and we’re likely to encourage them to do so - however it’s not something that we could or should setup by default. I think it’s still a little early for us to start spending a lot of effort supporting it, either for inbound mail or for outbound mail.