Yes, I was debating between ? and ~ and went with ? as it seemed the least likely to cause problems, but in fact UCSD's SPF record that I set many years ago uses ~ and there have been no complaints, so I may well change to it. We'll see as the bounce/reject messages come back in from daily traffic.
The elephant in the room is Google - gmail's spam filtering is a secret and nobody will talk about it who knows, so we have to guess and see what works and what gets rejected by simple trial and error.
But the immediate problem is going to be solved; we have a new mailman machine on the horizon and it will have its own unique IP address so much of the current issue will be solved, and I can give it an SPF record that will work.
We'll still have problems with mail originating from DMARC sites like yahoo, but the Mailman program has a workaround for that - if it sees that the posting is coming from a domain with a DKIM record, it rewrites the From: address to the list, which will allow posters from that site to participate. People can still reply to them individually since their original address is in the courtesy-copy (Cc:) header line.
Thanks for your advice, we'll watch the bounces and see what to do. - Brian
On Sat, Sep 23, 2017 at 10:49:24AM -0400, Jacob Slater wrote:
While I have had issues with ?all in the past (neutral), I'd avoid -all (hard fail) if you can. Hard fail can mess up mail forwarders if subscribers use them on their end. Instead, I'd suggest using ~all (softfail), which most mail providers seem to be OK with.
Jacob Slater KM6LDX