Is using SOFTFAIL over FAIL in the SPF record considered best practice?

email spf

Or put another way, is using v=spf1 a mx ~all recommended over using v=spf1 a mx -all? The RFC does not appear to make any recommendations. My preference has always been to use FAIL, which causes problems to become apparent immediately. I find that with SOFTFAIL, incorrectly configured SPF records are allowed to persist indefinitely, since no one notices.

All of the examples I have seen online, however, seem to use SOFTFAIL. What made me question my choice was when I saw the Google Apps instructions for configuring SPF:

Create a TXT record containing this text: v=spf1 include:_spf.google.com ~all

Publishing an SPF record that uses -all instead of ~all may result in delivery problems. See Google IP address ranges for details about the addresses for the Google Apps mail servers.

Are the examples being overly cautious by pushing the use of SOFTFAIL? Are there good reasons that make the use of SOFTFAIL a best practice?


Well, it was certainly not the intent of the specification for it to be used instead - softfail is intended as a transition mechanism, where you can have the messages marked without rejecting them outright.

As you've found, failing messages outright tends to cause problems; some legitimate services, for example, will spoof your domain's addresses in order to send mail on behalf of your users.

Because of this, the less draconian softfail is recommended in a lot of cases as a less-painful way to still get a lot of the help that SPF offers, without some of the headaches; recipient's spam filters can still take the softfail as a strong hint that a message may be spam (which many do).

If you're confident that no message should ever come from a node other than what you've specified, then by all means, use fail as the SPF standard intended.. but as you've observed, softfail has definitely grown beyond its intended use.


In my understanding, Google relies not only on SPF, but also on DKIM and ultimately DMARC to evaluate e-mails. DMARC takes into account both SPF and DKIM-signing. If either is valid, Gmail will accept the e-mail but if both fail (or softfail), this will be a clear indication that the e-mail may be fraudulent.

This is from Googles DMARC-pages:

A message must fail both SPF and DKIM checks to also fail DMARC. A single check failure using either technology allows the message to pass DMARC.

I therefore think it would be recommended to use SPF in softfail-mode in order to allow it to enter into the greater algorithm of mail analysis.


-all should always be used NO EXCEPTION. To not use it is opening yourself up to someone spoofing your domain name. Gmail for instance has a ~all. Spammers spoof gmail.com addresses all the time. The standard says we must accept emails from them because of ~all. I personally don't follow the standard on this, because i've realized most of you have setup your SPF records incorrectly. I enforce ~all, ?all, just as i would -all. SPF Syntax SPF mistakes

Related

Random TCP RST's on certain websites, what's going on?
How is DNS lookup configured for OSX Mountain Lion?
How can one send commands to the "inner" ssh session?
FTP/FTPS/SFTP/SCP - Speed comparison [closed]
How do I know if a DLL is registered?
Virtualization for Linux (VMware vs VirtualBox vs KVM vs ...)? [closed]
Virtual Machine memory usage not appearing in TaskManager
Is the hostname case sensitive?
PHP exit status 255: what does it mean?
Incredibly low KVM disk performance (qcow2 disk files + virtio)
Restrict Apache to only allow access using SSL for some directories
Does Google Domains support CNAME-like functionality at the zone apex?