Date: 2007-12-07 22:38:00
spf -all

A recent post by [info]taral piqued my curiosity and made me wonder just how many domains publish "-all" (hardfail) in their SPF records. To that end, I have set up which aims to count them.

I am currently loading domains into the database. This involves a DNS lookup for each domain name, so it's only going at an average rate of a few per second. I have several million domain names ready to be loaded, so I expect the initial load to take a few weeks. I have grabbed domain names from the following sources so far:

If you can think of any other easily obtainable list of domain names, let me know!

And for what it's worth, the highest-alexa-ranked domain that publishes SPF -all is ...drumroll...

On the front page you say: "Such domains are using SPF the way it is intended, and are safe from email forgery." Do you really want to say that? It seems to me that domains using -all would be safe from email forgery if everybody in the world implemented SPF-based message rejection, and forgers never compromised a server that was listed as "trusted", and never thought of any other way to do forgery... but those seem to me to be pretty big ifs.
Yes, there certainly are conditions. But I intentionally used aggressive wording in the description, in the hopes that more people actually start using -all. It's a small step.
Greg Hewgill <>