SPF is designed for authentication, not spam filtering. Using a crowbar as a hammer. We apply a small score mainly so we see the elements reported.
If the "majors" are using in their hygiene stack, for evalation like you are, I haven't seen much evidence of that. Of course it's hard to test, since we don't have log access or often intelligible header diagnostics. But from years of blackbox practical experience working cases: Cust: My Spam...err bulkmail is going to Junk, can you hook me up w/ SPF! Tech : OK we hooked you up. Cust: My Spam....err bulkmail is still going to Junk Tech: OK now diagnosed your ACTUAL problem (URL, PTR, spammy content. etc). We need to do X, Y, and Z. Cust: Great that fixed it! I can't recall a case in the last 5 years where SPF, or DKIM for that matter, tipped anyone from Junk to not. I apply an increased score for RDNS_NONE. Because I think its an ABOMINATION that so many operations think it OK to skip DNS plumbing. But I do recognize it seems a hopeless battle, trying to clean up the internet. YMMV. ________________________________ From: Rupert Gallagher <r...@protonmail.com> Sent: Wednesday, January 24, 2018 3:00:37 PM To: David Jones; 'users@spamassassin.apache.org' Subject: Re: Penalty for no/bad SPF If all those smarties who speak against spf would simply shut-up and implement it correctly, with dkim and dmarc, and read the dmarc reports, then they would know how valuable it is. On raising the score: done, long ago, happy with the outcome, and strongly recommend it.
