XNND DNS Tools

Ask Al: SPF -all or ~all?

[spf image]


Hey, Al! I was wondering if you could provide some guidance about SPF record format. Is it better to list the exact IP(s) in the SPF record? How about using the SPF dash (-all), or tilde (~all)? Which way is more common and better for deliverability?

SPF aka Sender Policy Framework is a form of email authentication. It's basically just a DNS record that you configure for your domain, and that DNS record usually just contains a list of the IP addresses of your mail servers (or somebody else's mail servers that are allowed to send mail on behalf of your domain). Wikipedia's the place to start if you want to dive into what SPF is in great detail. If you're reading on past this point, I'm going to assume that you know what an SPF record looks like.

When you create an SPF record, the last bit of it ends in the "all" mechanism, with one of three "modifiers:" ~all, -all or ?all. Here's what each one does.

  • Using ?all means "neutral/no" policy defined. This is sort of useless. You might see an ISP do this to say, "I'm not sure what all of my IP addresses are, but here, at least you have these ones, you can perhaps choose to whitelist my mail based on these." Cranky nerd jerks who want to fight about whether or not SPF should even exist will sometimes use this, as well. (If you find a "+all" mechanism, then you've definitely found one of those.)
  • Using ~all means you're setting a "soft fail" policy. You see this most often. The sender is saying "I am pretty sure I've listed all of my IPs in my SPF record, but I'm hedging my bets slightly."
  • Using -all means you're setting a "hard fail" policy. The sender is saying "I've for sure gotten my SPF record right, this is all of my IPs." It implies that ISPs should treat mail harshly if it references that domain but fails SPF.

For most senders, I recommend -all. Some folks recommend ~all, and that's okay, too, but historically there was an implied modest deliverability boost for using -all, so that's why I initially went that route, and why I still recommend it. For a lot of ESP send platforms, their use of a domain or subdomain is often pretty regimented and templated and the chances of sending mail through some other "weird way" that you didn't initially contemplate is very low. Meaning -all is generally going to be safe to use in that scenario.

This can also go hand-in-hand with DMARC. DMARC (and a DMARC reporting tool) can help you monitor for mail that fails SPF, helping you to catch when you might have accidentally gotten your SPF record wrong (perhaps not including all IP addresses).

For another point of view, EasyDMARC covers this on their site here. They recommend ~all instead of -all, but sometimes smart people can come up with different guidance, and I think that's okay.

1/1/2022 Edit: In comments, Jakub Olexa left some fantastic insightful feedback explaining that if you us -all (dash all), and you use DMARC, SPF is evaluated before DMARC, and thus you will, in some cases, have an ISP reject messages due to SPF failure without those messages being counted or logged as DMARC failures. The negative impact would be that these failures wouldn't show up in your DMARC reporting. Not every ISP works this way, but some do, and it's something to consider. Meaning that IF you use DMARC and you already use a strong (p=quarantine or p=reject) policy, ~all (tilde all) is probably the better way to go, ensuring you maximize your chances of these SPF failures showing up in your DMARC failure reporting.

Thanks, Jakub! This is something I hadn't considered and I appreciate the chance to learn something new!

4 Comments

Comments policy: Al is always right. Kidding, mostly. Be polite, please and thank you.

  1. Hi Al, the problem with -all is that SPF is usually evaluated before DMARC and as such souces rejected at this stage will not be part of DMARC reports. While originally -all was the best practice with DMARC it's no longer true.

    ReplyDelete
  2. Jakub, thanks! It's true, some ISPs do seem to block aggressively based on SPF failure, preventing mail even getting far enough into the stream for the ISP to see that it might have passed DMARC based on the DKIM signature. But my guess is that in the case of an SPF failure or a forwarding scenario that breaks SPF, ~all might not be much of a savior in that scenario.

    ReplyDelete
    Replies
    1. It sure is as in case of softfail the messages do pass onto the next stages and ultimately get delivered. I'm not aware of an MBP that would use softfail for filtering.

      Delete
  3. Hi Al!

    There is also a matching failure when you have includes that use a different (?/~/-)all statement from the one used in your own spf record.
    Which means, if creating includes for clients (if an esp), leave out the ALL flag so the client's record doesn't conflict.
    Here is an example of google's:
    `v=spf1 include:_netblocks.google.com include:_netblocks2.google.com include:_netblocks3.google.com ~all`
    If someone is using google email as well as other sources you're going to get a mismatch error if you use ~all in your own SPF.
    Example: "v=spf1 a mx include:_spf.google.com ~all"
    I am pretty sure this mismatch error doesn't affect anything deliverability-wise but it will stick out like a sore thumb in the headers.

    ReplyDelete
Previous Post Next Post