Authenticating with SPF: -all or ~all

What is SPF?

Sender policy framework (SPF, RFC 7208) is an authentication process that ties the 5321.from (also known as the mail from, envelope from or return path) to authorized sending IP addresses. This authorization is published in a TXT record in DNS. Receivers can check SPF at the beginning of a SMTP transaction, compare the 5321.from domain to the connecting IP address and determine if that IP is authorized to transmit mail.

What does a SPF record look like?

At its simplest, the SPF TXT record contains a version indicator, allowed IPs and an authorization type.
In the example "v=spf1 ip4:198.51.100.26 -all":

  • v=spf1 is the version indicator
  • 198.51.100.26 is the allowed sending IP
  • -all means only this IP is authorized to send mail for the domain.

Of course, there are other ways to define authorized IP addresses. Using "v=spf1 mx -all" authorizes any IP that is also a MX for the sending domain. Other SPF records can be included using the include: command; for instance include:_spf.google.com includes Google’s SPF record. IPs can be in either IPv4 space or IPv6 space  by using either the ip4 or ip6 qualifiers: "v=spf1 ip4:198.51.100.26 ip6:2001:db8:8:4::2 -all". SPF records can also contain IP ranges in the form "v=spf1 ip4:198.51.100.128/25 -all".
Domain owners are also allowed to publish different types of authorization.
[table] Statement,Result,Meaning
+all,pass,Allow all mail
-all,fail,”Only allow mail that matches one of the parameters (IPv4, MX, etc) in the record”
~all,softfail,Allow mail whether or not it matches the parameters in the record
?all,neutral,No policy statement
[/table]

What’s the difference between ~all and -all

Given many receivers are not actively bouncing mail based on SPF pass/fail, there isn’t a strong argument for either -all or ~all in SPF records. For a while, Hotmail was advising that senders who published a -all record would have better delivery. This led to -all became a de-facto standard for a lot of ESPs and bulk senders. More recently, there does not seem to be any benefit to publishing -all even at Hotmail (Outlook.com, live.com, etc).

What should I publish?

I generally recommend publishing ~all records for my clients. There’s not a huge benefit to publishing -all and sometimes mail gets forwarded around. The one time I recommend a -all record is when a domain is getting forged into spam. Domain forgery can cause a lot of bounces. The amount of bounces can be bad enough to take down a mail server, particularly those with a small userbase. Many ISPs will check SPF before sending back a bounce and so a -all record can decrease the amount of blowback the domain owner has to deal with.

Do I have to publish SPF records?

No, there is no requirement for publishing SPF in order to send mail. You don’t even need to publish SPF to get inbox delivery. Gmail will even do a “best guess SPF” for domains not publishing SPF and authenticate off that. However, large volume senders should be publishing SPF records on principle.

Want to check your SPF record?

We provide a SPF checker on our Tools page.

Related Posts

Too much email on the brain

Last night I was cruising through our local news website. I see the headline New SPF guidelines coming our way.
My first thought was, “Wow, SPF made the paper?” Now, I live in the SF Bay area so there are a lot of technology related stories that hit our paper which might not see the light of day in other areas. But, still: new SPF guidelines hit the local paper before I’ve heard about it? That seems a little strange.
Then I notice that it’s in the “Living” section. That’s even stranger.
Oh, well, if there’s new SPF stuff, I’d better click and see what is going on with SPF. The internal headline is Beauty Tuesday: New SPF guidelines accompanied by a picture of sunscreen. It was only then I realized it wasn’t about sender policy framework but was about sun protection.
A bit of a picard-facepalm2 moment for me.
Happy Friday, everyone.

Read More

Gmail and the via

I was hoping to have a detailed post up today about the conditions where gmail presents the user with a “via” but time seems to have gotten away from me. But I can give you the conclusions.

Read More

CNN warns about Target copy-cat phishes

Target did indeed do a blast to customers to offer one year of free credit monitoring. The problem is scammers are also on the prowl and are sending out similar emails.
Target even says it has identified and stopped at least 12 scams preying on consumers via email, Facebook and other outlets.CNN: Did you get an email from Target?

Read More