SPF Still Matters in 2016

SPF (Sender Policy Framework) still matters in 2016. Lots of folks might be authenticating with DKIM now, but SPF is a useful fallback mechanism and in my oh-so-humble opinion, everybody sending email with their own domain name should publish an SPF record.

An SPF record is primarily used to publish a list of IP addresses or network ranges. You're telling the world that those IP addresses are allowed to send mail using that domain in the from address.

The $64,000 question: Dash all or Tilde all?
  • Ending the SPF record with "-all" tells the world "I'm confident that any other mail using my domain, coming from other IP addresses, must be forged; treat it harshly."
  • Ending the SPF record with "~all" tells the world "I'm mostly but not entirely confident that any other mail using my domain, coming from other IP addresses, is probably forged; examine it more closely."
Which is better? Using "-all" used to seem to improve deliverability a bit more than using "~all." Though I haven't personally tested that in a long time, I'd lean toward using "-all," unless you have concerns that you might have missed some of your sending IP addresses.

"But SPF is worthless," occasionally a spam fighter will cry. Not true! SPF is very useful in a whole other way: whitelisting! Run an ISP or a blacklist, and you want to make sure you don't block legitimate mail from Yahoo or Gmail outbound IP addresses? Use their SPF record as a whitelisting guide to make sure you don't reject mail from those IP addresses. SPF works very well for that.

Want to tell the world that your domain doesn't send any mail and that it's safe to assume any mail sent using this domain is forged? Publish a "v=spf1 -all" SPF record; that's exactly what it will tell anyone who checks and respects SPF records. Lots of domains publish this type of SPF record; I've found it useful as part of a domain validity check process, based on the assumption that if the domain doesn't send mail, it probably doesn't accept mail. It has served me well so far.

Useful Tools: You can use XNND Wombatmail to lookup an SPF record. The Authentication section on Wise Tools will help you break down that SPF record in more detail. Here's a very useful suite of SPF-related tools, published by Scott Kitterman.

(What about Sender ID? Does that still matter? No. Microsoft Hotmail / Outlook.com was the only one who cared about Sender ID, and no longer check for it.)

Edited to Add: You'll want to read Mickey Chandler's followup post, Drafted for the wrong fight.
Post a Comment