You are better off using snail mail than using -all
for Sender Policy Framework (SPF) records. Also, avoid using -all
for SPF records. Unless, of course, you enjoy never-ending wars with your receivers’ spam folder. This is sage advice, that was given to me, and I now pass it on to you.
I’ve made the mistake myself of using -all
before, and it is often recommended to use ~all
or ?all
instead of -all
in SPF records to indicate a softer fail, allowing mail to be delivered even if SPF checks fail. Sure, use ~all
or ?all
can land your emails in spam folders, but spam folders are better than undelivered emails altogether.
When “-all” is specified in an SPF record, receiving mail servers are instructed to reject emails (that means all emails) that do not pass SPF checks. This can lead to legitimate emails being undelivered if there are any issues with SPF configuration.
Also, If you rely on forwarding services or use third-party email providers to send emails on your behalf, specifying -all
can cause delivery issues. These services may not always be included in the SPF record, resulting in valid emails being marked as spam.
Where Should Strict Security Live?
Essentially, ~all
lets you defer the enforcement of security to the DMARC policy — DMARC is much better controller for security. If you use -all
, it will enforce the SPF rule before the DMARC policy is even attempted. In that case, the DKIM key that may fully pass doesn’t even get the chance.
If you are unsure what DMARC and DKIM are or what their implications of are, please learn more about them, especially since you are already invested in knowing the difference between -all
and ~all
.
Cites
brightball.com — Information on DMARC and SFP is based on a Slack conversation. Repurposed in the post to document knowledge. Cite link is to an article with more information.
Side Notes
If you are instituting DMARC, do not require SPF to pass. SPF is prone to fail, and services like Google Calendar email invites might cause SPF to fail (they are not sent from Gmail). You should be good to go if SPF fails and your DKIM passes. DKIM failure should be your major red flag, not SPF failures.
Leave a Reply