You are better off using snail mail than using -all for Sender Policy Framework (SPF) records. Also, avoid using -all for SPF records. Unless, of course, you enjoy never-ending wars with your receivers’ spam folder. This is sage advice, that was given to me, and I now pass it on to you.

I’ve made the mistake myself of using -all before, and it is often recommended to use ~all or ?all instead of -all in SPF records to indicate a softer fail, allowing mail to be delivered even if SPF checks fail. Sure, use ~all or ?all can land your emails in spam folders, but spam folders are better than undelivered emails altogether.

When “-all” is specified in an SPF record, receiving mail servers are instructed to reject emails (that means all emails) that do not pass SPF checks. This can lead to legitimate emails being undelivered if there are any issues with SPF configuration.

Also, If you rely on forwarding services or use third-party email providers to send emails on your behalf, specifying -all can cause delivery issues. These services may not always be included in the SPF record, resulting in valid emails being marked as spam.

Where Should Strict Security Live?

Essentially, ~all lets you defer the enforcement of security to the DMARC policy — DMARC is much better controller for security. If you use -all, it will enforce the SPF rule before the DMARC policy is even attempted. In that case, the DKIM key that may fully pass doesn’t even get the chance.

If you are unsure what DMARC and DKIM are or what their implications of are, please learn more about them, especially since you are already invested in knowing the difference between -all and ~all.

Cites

brightball.com — Information on DMARC and SFP is based on a Slack conversation. Repurposed in the post to document knowledge. Cite link is to an article with more information.


Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Join Dare To Code Email List

Get emails from me on full-stack PHP development by subscribing to the Dare To Code mailing list.