Regarding SPF, there is STILL a major flaw with Settings > Security > Whitelist > SMTP Auth Bypass.
For example when we onboarded a Google G-Suite client which needed two users to remain on G-Suite and everyone else on SmarterMail, authentication must be bypassed via those G-Suite users, otherwise it completely fails.
Split delivery is setup via Domain > Configuration > Email > Inbound Message Delivery > External (use MX record) or External (use host record))
The problem is that once the SMTP Auth Bypass enables all G-Suite IP addresses, all of a sudden everyone who sends spam from Google to a local user (sent to all domains on SmarterMail) is completelyTrusted and no spam filtering happens at all. I've been complaining about this for months, and this has been a problem for years.
I've asked for SPF and DKIM filtering to combat this problem, and after weeks of trying to get a technician to simply understand the underlying problem, finally I've been promised a solution.
However, my response: We do not have a time frame for this yet.
What is the problem with this simple solution and this avoidance? Can something not be promised to be solved in some sort of rough timeframe?