I've been running a product called QURB (under Outlook Express) for 2-3 years
and am reasonably comfortable with its effectiveness at identifying spam
email messages. At some point QURB added support for something called SPF,
"Sender Policy Framework". SPF seemed pretty impressive at the time, but
I've begun to wonder whether it truly does that much good.

I've done a limited amount of research on SPF. My understanding is that SPF
depends upon the sender domain subscribing/registering with a list that
identifies certain attributes of the domain (beyond just the "name", but I'm
not sure exactly what information) that will enable an SPF implementation to
verify the claimed domain identity of the FROM email address.

The QURB implementation displays its SPF results for a given message as one
of three states: can't say for sure whether its the claimed domain; it
definitely IS from the claimed domain; it definitely IS NOT from the claimed
domain. I hardly ever get any messages that QURB reports as "definitely
IS..." or "definitely IS NOT".

Is there someone here who can shed light on the effectiveness of SPF in
general? Are there any of the "biggies" that use SPF -- paypal, ebay,
microsoft, the larger banking institutions?

TIA,

Phil