Just last week I was dealing with a vendor who was responding to complaints from people in my org about the vendor’s emails always ending up in spam.

I told the vendor the problem was on their end (SPF failure) and sent the headers showing exactly what server their email was leaving and a copy of the DNS results showing how that server was not part of their SPF record. They said they found no such issue when they investigated and asked us to “whitelist” their domain in our email system.

Nope. Nope. Nope.

SPF, DKIM, and DMARC exist for a number of very valid reasons. Fix your shitty email; we will not be disabling security because you’re too incompetent or lazy to setup your system correctly. “Whitelisting” your domain because your SPF is not setup correctly would allow anyone to spoof emails from your domain and open us up to a number of attacks.