Continue a series of "Ideas for Habra". Recall that I administer this site in terms of low-level (servers, OS daemons and the interaction of all this) and I quite strongly interested in the opinion of my colleagues who have practical experience of using what is mentioned in the post. While that is all quite sluggish, but some useful information I have learned.
This time the issue revolves around the mail subsystem. We have virtually all mail MX records wrapped in gmail.com. It is quite convenient and suitable for almost everyone, unless, of course, to abstract from questions about the "big brother". But there are servers where, in turn spinning our sites, many of which send user notifications. Recently, all emails from some of our servers are for users not directly but through a relay, in the language of the admin "smarthost": this is convenient, since it is not necessary to fine-tune staffing sendmail, you just need to insert the line and all. And configure properly only relay.
So what we have in the end? Actually, all legitimate mail from the domain habrahabr.ru is our users only with Google or with our relay. Ie there is a good opportunity to prescribe in the area of the SPF record with sootvetstvuyuschimi data and with the option "-all". This technology has plenty of advantages and few drawbacks: one of the downsides associated with possible problems when sending emails. Of course, the correct MTA when forwarding need to change the headers etc., but not everyone is all set as needed.
In connection with the above, do you think, is it worth it to put strict "-all" or limited to only the uncertain "~all"?P. S.
by the Way, DKIM is already running, the relay successfully sign outgoing mail. If your mail clients will write about an invalid signature, let me know.