Authenticating with SPF: -all or ~all

What is SPF?

Sender policy framework (SPF, RFC 7208) is an authentication process that ties the 5321.from (also known as the mail from,envelope from or return path) to authorized sending IP addresses. This authorization is published in a TXT record in DNS. Receivers can check SPF at the beginning of a SMTP transaction, compare the 5321.from domain to the connecting IP address and determine if that IP is authorized to transmit mail.

What does a SPF record look like?

At its simplest, the SPF TXT record contains a version indicator, allowed IPs and an authorization type.

In the example "v=spf1 ip4:198.51.100.26 -all":

  • v=spf1 is the version indicator
  • 198.51.100.26 is the allowed sending IP
  • -all means only this IP is authorized to send mail for the domain.

Of course, there are other ways to define authorized IP addresses. Using "v=spf1 mx -all" authorizes any IP that is also a MX for the sending domain. Other SPF records can be included using the include: command; for instance include:_spf.google.comincludes Google’s SPF record. IPs can be in either IPv4 space or IPv6 space  by using either the ip4 or ip6 qualifiers: "v=spf1 ip4:198.51.100.26 ip6:2001:db8:8:4::2 -all". SPF records can also contain IP ranges in the form "v=spf1 ip4:198.51.100.128/25 -all".

Domain owners are also allowed to publish different types of authorization.

Statement Result Meaning
+all pass Allow all mail
-all fail Only allow mail that matches one of the parameters (IPv4, MX, etc) in the record
~all softfail Allow mail whether or not it matches the parameters in the record
?all neutral No policy statement

What’s the difference between ~all and -all

Given many receivers are not actively bouncing mail based on SPF pass/fail, there isn’t a strong argument for either -all or ~all in SPF records. For a while, Hotmail was advising that senders who published a -all record would have better delivery. This led to -all became a de-facto standard for a lot of ESPs and bulk senders. More recently, there does not seem to be any benefit to publishing -all even at Hotmail (Outlook.com, live.com, etc).

What should I publish?

I generally recommend publishing ~all records for my clients. There’s not a huge benefit to publishing -all and sometimes mail gets forwarded around. The one time I recommend a -all record is when a domain is getting forged into spam. Domain forgery can cause a lot of bounces. The amount of bounces can be bad enough to take down a mail server, particularly those with a small userbase. Many ISPs will check SPF before sending back a bounce and so a -all record can decrease the amount of blowback the domain owner has to deal with.

Do I have to publish SPF records?

No, there is no requirement for publishing SPF in order to send mail. You don’t even need to publish SPF to get inbox delivery. Gmail will even do a “best guess SPF” for domains not publishing SPF and authenticate off that. However, large volume senders should be publishing SPF records on principle.

Want to check your SPF record?

We provide a SPF checker on our Tools page.

 

source