Wildcard configured emails allow spammers to deliver mail? (SPF: "softfail")

email spf dkim g-suite

When you use the SoftFail qualifier (the ~) in an SPF mechanism, you indicate that a matching sender should be treated with suspicion, but not outright rejected.

The Fail qualifier (the -) on the other hand, encourages receiving MTAs to reject the SMTP transfer immediately with a 5.1.7 DSN.

So when you are using ~all in the end of your record, you are only partially preventing spammers from abusing your domain and your reputation.

Read more about how check_host() results should be treated according to the RFC Specification here: IETF RFC 4408 §2.5 "Interpreting the results"


In addition to what Mathias said (which is good), note that key word encourages in his second sentense: "The Fail qualifier... encourages receiving MTAs to reject the email".

I would also recommend looking into DMARC. Once you have SPF and DKIM records in place, which it sounds like you do, DMARC is a way for you to tell receiving mail servers what to do with email that fails both the SPF and DKIM test.

When an email fails those tests, AND a receiving MTA honors DMARC records, then you can control what they do with that email: Reject it outright, mark it as a spam, or deliver it.

Related

Page table fast growth
Windows 2003 activation nightmare, changed hardware
PXE boot linux. PXE-E51: No DHCP or proxyDHCP offers were received
Can't start Bind9 on Ubuntu 10.04 + Plesk 10.1 - "named: no process found"
Permissions for Creating a Schedule Task
how enable SNMP on all Computer remotely?
Apache LimitExcept returning Error 400 on permitted method
postfix: deliver mail to specific emai addresses locally and send the rest to relayhost
Generating pdf-latex with python script
Poor man's "lexer" for C#
AngularJS + Django Rest Framework + CORS ( CSRF Cookie not showing up in client )
How do I insert a django form in twitter-bootstrap modal window?