Sender Policy Framework
SPF is a framework for validating outgoing mail, which gives the receiving side useful information for spam filtering. The main goal is to cause spoofed @wikimedia.org mail to be correctly identified as such. It should also improve our odds of getting fundraiser mailings into inboxes rather than spam folders.
The October 8 change will be simply a matter of adding a TXT record to the wikimedia.org DNS zone:
wikimedia.org IN TXT "v=spf1 ip4:18.104.22.168/24 ip4:22.214.171.124/22 ip6:2620:0:860::/46 include:_spf.google.com ip4:126.96.36.199 ?all"
The record is a list of subnets that we identify as senders (all wmf subnets, google apps, and the fundraiser mailhouse). The "?all" is a "neutral" policy--it doesn't state either way how mail should be handled.
Eventually we'll probably bump "?all" to a stricter "~all" aka SoftFail, which tells the receiving side that only mail coming from the listed subnets is valid. Most ISPs will route 'other' mail to a spam folder based on SoftFail.
I was under the impression that ~all softfail is not an assertion that something is not authorized and the only way to actually assert that is with -all hardfail.