I started checking SPF records on my mail server. All spam that makes it through the other checks also has correct SPF records. Presumably if spammers control DNS for a bunch of crappy domains they can dynamically add the zombie machines to the SPF records on the fly and just get on with their day. Very disheartening.

SPF isn't really an anti-spam tool, it's just a way to verify that the sender domain isn't being spoofed. For instance, it stops spammers from sending mail with a paypal.com email address.

Exactly. Spammers can use any email address they'd like and Verizon simply passes it on to the recipient. A spammer used one of my domains (with valid SPF records added years ago) and texted thousands of Verizon customers. I intercepted all replies to the texts with a catch-all email and found hundreds of complaints including several death threats and a father who told me his young daughter received a porn text from my domain. After 3-4 days, their spam filter finally kicked in. My domain was blacklisted and I basically had no control over it.

>No SPF/DKIM checks

Wow. The 90s called, they want their SMTP gateways back.

We've found that DKIM keys are often if not always ignored by major mail carriers.

Interesting. I found that my custom-domain Fastmail address went from spam to the inbox in GMail the moment both SPF and DKIM were set up correctly.

I think the presence makes a difference, and SPF is often at least partially respected. But I think DKIM is so often incorrectly configured that most major mail carriers just decide they have to let it through anyway.

Yup, I've watched mail that I send be delivered directly to Gmail inboxes even if I spoof the From address to be from a Gmail account. (Admittedly, the rest of the headers show it correctly coming from the uwaterloo.ca mailservers, which are perhaps whitelisted, and the content of the email is never obviously spammy.)

Do you still have the privilege of paying for those?