Ask Al: SPF -all or ~all? (Updated for 2024)


Here’s an update to something I last answered a couple of years ago: Hey, Al! I was wondering if you could provide some guidance about SPF record format. Is it better to list the exact IP(s) in the SPF record? How about using the SPF dash (-all), or tilde (~all)? Which way is more common and better for deliverability?

I’m going to start from the assumption that everyone reading knows what SPF is and that you’ve seen an SPF record before. (Whether or not you've ever read RFC 7208.) But if not, know that SPF essentially provides a whitelist or allowlist of IPs that are authorized to send mail on behalf of your domain. SPF goes hand in hand with DKIM and DMARC (and indeed, thinking of how it interacts with DMARC is what is driving me to make this update) to help protect domain owners from bad actors trying to spoof their domain, and to protect email users from receiving spoofing or phishing emails. Together, these are the core of email authentication.

When you create an SPF record, the last bit of it ends in the "all" mechanism, with one of three "modifiers:" ~all, -all or ?all. Here's what each one does (with the caveat that I'm oversimplifying things a bit, and basing some of this on what companies/scenarios I see implementing certain settings -- the RFC goes into way more detail about these are intended to be used):
  • Using ?all means "neutral/no" policy defined. The legitimate use case for this is rare. You might see an ISP do this to say, "I'm not sure what all of my IP addresses are, but here, at least you have these ones, you can perhaps choose to whitelist/allowlist some of my mail from this list." Once upon a time, occasionally angry jerks who wanted to fight about whether or not SPF should even exist would use this, as well. (If you find a "+all" mechanism, then you've definitely found one of those people.)
  • Using ~all means you're setting a "soft fail" policy. You see this most often. The sender is saying "I am pretty sure I've listed all of my IPs in my SPF record, but I'm hedging my bets slightly."
  • Using -all means you're setting a "hard fail" policy. The sender is saying "I've for sure gotten my SPF record right, this is all of my IPs." It implies that ISPs should treat mail harshly (i.e. reject it) if it references that domain but fails SPF.
Based on just that information, I’d probably tell you to choose “-all” (dash all), but I’d be wrong. Instead, the answer is more nuanced. Instead, consider:
  • Use "-all" only if you send no mail at all from this domain (I call this spf lockdown -- M3AAWG calls it a "naked -all"). “Dash all” gives you a sort of “proto DMARC” ability to announce “here’s how I want you to handle unauthenticated mail” and some internet service providers (ISPs) and mailbox providers (MBPs) will, as a result, reject mail that fails SPF checks. (But in a way that can negatively impact legitimate mail -- see the note below about "-all" being harmful below.)
  • Use "~all" if you’re aiming for best practices. If you use SPF, DKIM and DMARC together to fight phishing and spoofing, “tilde all” is the way to go. The reason for this is that if you publish your SPF record with “-all,” some number of mailbox providers, in both the B2C and B2B space, will reject the mail during the initial SMTP transaction – before that SMTP transaction gets far enough to find and check a DKIM signature.
In other words, some messages that might have passed DKIM might not get delivered, if you use “dash all.” Will it happen a lot? Is it a huge concern? It’s hard to say; I don’t anticipate it affecting millions of messages. But sometimes things go wrong or somebody sets up a new server and forgets to update an SPF record to add new IP addresses. If that mail would still pass DKIM, why not configure things so that it has a chance to get successfully delivered?

And if you implement “~all,” utilize DMARC (with a policy of reject), failed SPF + failed DKIM (or no DKIM) will still result in rejection of that unauthenticated mail.

You’ll see a zillion SPF records out there, templated things across hundreds of domains for various email marketing automation platforms, with “-all” in place, and not “~all.” Why? Well, partly because DMARC wasn’t a thing when SPF was first utilized. Before DMARC, “-all” was the best you could do as far as asking receiving mailbox providers to block forged mail. Sometimes templates get created once and then rarely updated. 

And with a big email marketing automation platform sending a zillion messages for a brand, the goal is to deliver as many messages as possible, as quickly as possible. They might not always see the nuance of making sure that every legitimate email message gets its best chance to be delivered. But if I were to be in the position of providing guidance to any platform like that today, my guidance would be that they should be using “~all.”

Ultimately, "-all" is harmful and problematic. Various government mailboxes, certain versions of legacy hosted Microsoft Exchange, and a number of international mailbox providers have all implemented inbound SPF checks in a way where they'll block mail for failing SPF without ever considering DKIM or DMARC. The risk of rejecting valid mail is greatly increased, with little upside -- even without using "-all," bad mail will still get rejected, when DMARC is implemented properly.

(Thanks to Jakub Olexa for being the first person, but not the last, to correct my prior comments on this topic.)
Post a Comment

Comments