I use -all on some domains, but not on all. The problem is that you don't always know which server will send legitimate emails with your email address as source address.

A number of online systems like forums, webshops, mailinglists etc send notification emails where the address you used to sign up is used as the From: address. Those emails may get lost if you use the -all setting because they are sent from servers whose IP address is not in your SPF record. If you are never using a domain to sign up to sites which send messages on your behalf, it is safe to use -all in the SPF record of that domain.

Thanks for the reply lammert - it sounds as if using

-all

will be safe in my situation, as apart from the automated emails, the domain's email addresses are mostly used for receiving and not sending.

I have a supplementary question specifically relating to Hotmail delivery - what's the current situation with Sender ID? Would it be a good idea to create a dedicated TXT record in the Sender ID format for Hotmail, or should the SPF record suffice?

There has been no harm in doing both IMHO. My testing (RedHat Linux w cPanel) has shown it helps delivery to AOL where the client IP (mail client) is in a portable (aka dial-up) range.

Add the true IP of that the email server is bound to as cPanel grabs the IP4 A record of the webserver. Listed as 'Additional Ip blocks for your domains (IP4)'.

The best of the online SPF record checkers is [kitterman.com ] There are others but they give confusing results (IMHO) and/or false errors. openspf.org has lots of backing docs if you are curious.

In above #4172607 both = SenderID/Domain Keys and SPF.