[reidrac]

SOFTFAIL is only contributing to the anti-spam score (in theory) as it is supposed to allow the mail pass, but the host is still unauthorized [1].

Using "~all" means that you can only tell which hosts are definitely allowed to send mail for the domain, and you're unsure of anything else.

IMHO that reduces the effectivity of SPF. SOFTFAIL is useful as a debug method when you're testing rules and you don't want mail to be rejected by mistake; but I think it should be transitory and finally replaced by FAIL ("-all").

If you configure SPF to allow mail being delivered by Google's SMTP servers for that domain, you're again reducing its effectivity (Google's SMTP servers are used to send spam); but still better than a "SOFTFAIL all" I think :)

[1] http://www.openspf.org/RFC_4408#op-result-softfail

[tjohns]

It's been some time since I ran my own mail server, but from what I recall, some spam filters actually give more negative weight (i.e. message is more likely to be spam) to a SOFTFAIL (~all) than a FAIL (-all), even though this contrary to the spec.

Spamassassin's rationale was that many of the tutorials online never explained the difference, so the majority of mailservers were just using SOFTFAIL everywhere. More paradoxically, messages that had a hard FAIL result were statistically more likely to be due to a misconfiguration, based on an empirical analysis.

Like I said though, it's been quite a while since I've had to deal with this. I'm not sure if it's still true or not.