<snip>Justin Mason wrote:
According to the SPF people, we shouldn't be using -all on a domain that may possible emit mail. So I changed the record...
If you can list all sending domains, sending ip addresses, and ISP mail servers that are allowed to send mail from a spamassassin.org address, then you can use ~all and we can use from spamassassin.org in the SPF test for a failed HELO. If you can't list all of them in the record, we are forced to use ?all and we need a different domain to use for the test.
It's more like:
?all if you don't think you've listed all the hosts that may send mail
~all if you *think* you've listed all the hosts that may send mail
-all if you *know* you've listed all the hosts that may send mail
The wizard doesn't give you the option -all since they don't want to 'wizardize' you having your mail rejected. If you don't list all your hosts and the record contains ~all, it'll generate a soft fail... which means the receiving server should still accept the mail.
If you forget to list all your hosts and your record contains -all, it generates a hard fail... which means the receiving server should feel free to reject, or drop the message.
I've got many domains using -all (with all of their sending hosts listed) and have had no problems.
Daryl