Confused about SPF Records

spam spf mx-record dmarc

I thought that ?all in SPF should not be used.

Then I examinated SPF records of some local email provider companies and I found this:

v=spf1 mx ip4:77.75.78.0/23 ip4:77.75.76.0/23 ip6:2a02:598::/32 ?all`

Isn't this basically saying to mark failed SPF as Neutral, therefore letting basically everyone to send emails on behalf of that domain ?

Their DMARC is set like this:

v=DMARC1; p=none; rua=mailto:[email protected]

Again, isn't this saying to do nothing when DMARC fails ?

Then there is the company I'm working in. Their's SPF record is like this:

v=spf1 mx a:xxx.xxx.xxx a:xxx2.xxx.xxx include:protection.outlook.com include:spf.xxx.xxx ?all

Do the include's overwrite the final ?all ? Again, doesn't this say to mark everything as Neutral ?

What's the actual use case of ?all in SPF records ?


In principle you are right, a SPF softfail was intended to be a temporary setting for just testing of the setup. After testing it was recommented to be changed into the hard fail mode, where record is set to end with -all.

But it seems everybody is frigthened to lose some spam or simply are not self confident. Many people chose to leave it in the softfail setting.

The same seems to be with DMARC. The policy none does nothing. If you want your DMARC to be really effective, use reject or quarantine policy. Then compliant servers will refuse to accept and deliver a mail which claims to be from your domain but in reality it is not yours.

To some extent this is alleviated with the fact there are sophisticated spam filters, which still consider SPF and DMARC results and pessimize the score of mail which failed the tests. SPF softfail and others are considered together with body statistical analysis, blacklist quieries and so on, and together they tend to lower the score of spam so severely so it nevertheless is getting into a spam, or, conversely, correct SPF and/or DKIM depessimizes innocent mails, making them to look less spammy. So even DMARC p=none and SPF ~all or ?all still are doing some good, by increasing the "innocence" of good mail instead of pessimizing "bad" ones.

Related

Use "Unassigned" or IP address for IIS?
Forward DNS local to Jira URL
LDAP Client Authentication using SSSD: Groups issue
Best way to redirect root domain ("apex domain") to another location
Can't get hibernate to work Ubuntu 21.10
"Invalid package information" error when upgrading to Ubuntu 20.04
DHCP address keeps getting generated with netplan and bonded interface
How can I generate a number start with 1 and only has 10 digit bash script
Can't resize my exFAT partition
How to extend partition with free space that is before it using gparted?
Share a local folder over the internet
SSD NVME M.2 not detected on Ubuntu 21.10 during installation