You are better off using snail mail than using -all for Sender Policy Framework (SPF) records. Also, avoid using -all for SPF records. Unless, of course, you enjoy never-ending wars with your receivers’ spam folder. This is sage advice, that was given to me, and I now pass it on to you.

I’ve made the mistake myself of using -all before, and it is often recommended to use ~all or ?all instead of -all in SPF records to indicate a softer fail, allowing mail to be delivered even if SPF checks fail. Sure, use ~all or ?all can land your emails in spam folders, but spam folders are better than undelivered emails altogether.

When “-all” is specified in an SPF record, receiving mail servers are instructed to reject emails (that means all emails) that do not pass SPF checks. This can lead to legitimate emails being undelivered if there are any issues with SPF configuration.

Also, If you rely on forwarding services or use third-party email providers to send emails on your behalf, specifying -all can cause delivery issues. These services may not always be included in the SPF record, resulting in valid emails being marked as spam.

Where Should Strict Security Live?

Essentially, ~all lets you defer the enforcement of security to the DMARC policy — DMARC is much better controller for security. If you use -all, it will enforce the SPF rule before the DMARC policy is even attempted. In that case, the DKIM key that may fully pass doesn’t even get the chance.

If you are unsure what DMARC and DKIM are or what their implications of are, please learn more about them, especially since you are already invested in knowing the difference between -all and ~all.

Cites

brightball.com — Information on DMARC and SFP is based on a Slack conversation. Repurposed in the post to document knowledge. Cite link is to an article with more information.

Side Notes

If you are instituting DMARC, do not require SPF to pass. SPF is prone to fail, and services like Google Calendar email invites might cause SPF to fail (they are not sent from Gmail). You should be good to go if SPF fails and your DKIM passes. DKIM failure should be your major red flag, not SPF failures.


Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Get Involved & Explore More

an abstract painting with blue and yellow colors

Catch up on what I’ve been writing lately.

Show your gratitude.

Join Dare To Code Email List

Get emails from me on full-stack PHP development by subscribing to the Dare To Code mailing list.