Gnome.org has no SPF record.

["A. James Lewis" <james fsck co uk>]

On Fri, 2010-12-31 at 10:02 +0100, Olav Vitters wrote:
> On Thu, Dec 30, 2010 at 04:42:05PM +0000, A. James Lewis wrote:
> > Not strictly a gaping security hole... but certainly an omission,
> > perhaps it would be possible for such a major organization to support
> > this mechanism for reducing SPAM by having an SPF record in your DNS?
> > 
> > It certainly reduces the chances of someone impersonating your users in
> > email.
> 
> I'm fully aware of SPF. However, practically (at least at the moment)
> not possible to implement that. We hand out @gnome.org aliases to GNOME
> foundation members. We do not want to be a webmail provider or anything.
> So the way foundation members use these aliases is to change the From
> setting in their email client or in some webmail services (e.g. gmail
> supports this).
> 
> It would be nice at one point to allow people to use our SMTP server.
> But that would still not be of any help for gmail users (unless gmail
> separates From: and the SMTP from). Plus people might have very strange
> configuration settings where this is not possible.
> 
> So in short: Aware of SPF, but at the moment not possible to implement.
> 
> If you want to discuss this or anything else suggest to subscribe to the
> gnome-infrastructure list on http://mail.gnome.org/.
> 

It seems that SPF has at least a contingency to allow this kind of thing
to happen.  If you were to define the "official" gnome.org SMTP servers
in an SPF record, but specify ?all as a catch all (instead of -all),
then mails sent by gnome itself, from mailing lists etc, would be marked
as "Pass", and mails from other sites such as 3rd party webmail accounts
etc, as you described... would still be undefined.  This would surely be
a significantly better situation because the bulk of mail sent by
gnome.org would be validated.  You might even use the include directive
to include popular webmail services such as gmail or hotmail.

James