-
Sp
chevron_right
Ask Al: SPF -all or ~all?
pubsub.slavino.sk / spam_resource · Wednesday, 22 December, 2021 - 13:00 · 2 minutes
SPF aka Sender Policy Framework is a form of email authentication. It's basically just a DNS record that you configure for your domain, and that DNS record usually just contains a list of the IP addresses of your mail servers (or somebody else's mail servers that are allowed to send mail on behalf of your domain). Wikipedia's the place to start if you want to dive into what SPF is in great detail. If you're reading on past this point, I'm going to assume that you know what an SPF record looks like .
When you create an SPF record, the last bit of it ends in the "all" mechanism, with one of three "modifiers:" ~all, -all or ?all. Here's what each one does.
- Using ?all means "neutral/no" policy defined. This is sort of useless. You might see an ISP do this to say, "I'm not sure what all of my IP addresses are, but here, at least you have these ones, you can perhaps choose to whitelist my mail based on these." Cranky nerd jerks who want to fight about whether or not SPF should even exist will sometimes use this, as well. (If you find a "+all" mechanism, then you've definitely found one of those.)
- Using ~all means you're setting a "soft fail" policy. You see this most often. The sender is saying "I am pretty sure I've listed all of my IPs in my SPF record, but I'm hedging my bets slightly."
- Using -all means you're setting a "hard fail" policy. The sender is saying "I've for sure gotten my SPF record right, this is all of my IPs." It implies that ISPs should treat mail harshly if it references that domain but fails SPF.
For most senders, I recommend -all. Some folks recommend ~all, and that's okay, too, but historically there was an implied modest deliverability boost for using -all, so that's why I initially went that route, and why I still recommend it. For a lot of ESP send platforms, their use of a domain or subdomain is often pretty regimented and templated and the chances of sending mail through some other "weird way" that you didn't initially contemplate is very low. Meaning -all is generally going to be safe to use in that scenario.
This can also go hand-in-hand with DMARC. DMARC (and a DMARC reporting tool) can help you monitor for mail that fails SPF, helping you to catch when you might have accidentally gotten your SPF record wrong (perhaps not including all IP addresses).
For another point of view, EasyDMARC covers this on their site here . They recommend ~all instead of -all, but sometimes smart people can come up with different guidance, and I think that's okay.