> However do please be cautious about denying messages that only softfail.
I disagree with this. So many organizations that have had softfail for
several tens of years for no apparent reason. Gmail is no exception.
-----
C:\Users\Sebastian Nielsen>nslookup -type=TXT gmail.com
Server: fw.sebbe.eu
Address: 192.168.4.1
Non-authoritative answer:
gmail.com text =
"globalsign-smime-dv=CDYX+XFHUw2wml6/Gb8+59BsH31KzUr6c1l2BPvqKX8="
gmail.com text =
"v=spf1 redirect=_spf.google.com"
C:\Users\Sebastian Nielsen>nslookup -type=TXT _spf.google.com
Server: fw.sebbe.eu
Address: 192.168.4.1
Non-authoritative answer:
_spf.google.com text =
"v=spf1 include:_netblocks.google.com
include:_netblocks2.google.com include:_netblocks3.google.com ~all"
C:\Users\Sebastian Nielsen>
-----
If you don't mind expending some disk storage, create a custom
application that will, upon seeing a softfail for a domain, append the
domain into a disk file along with year+month of first seen softfail,
IF NOT: the domain is already in file (and treat as softfail). IF
domain is already in file, IF the year+month is 2 months away or more,
treat as hardfail. Else treat as softfail.
Then every organization that touch your mailserver will get anywhere
from 1-2 months to ensure any mailserver they use is added to their
SPF, after that, you will forcefully hardfail their "softfail".
I Personally treat softfail as hardfail on my mailserver sebbe.eu. It
works very well and I haven't seen a "false positive" yet where a
email that is not obviosly spoofed, had been rejected.
