How should I end my SPF record? ~all? -all? +all?

  • 1
  • March 10, 2015

As a follow-up to our previous post about common SPF issues, we drilling into the tag at the end of the record that seems to confuse many.

tl;dr Use ~all at the end of your SPF record. Unless you’re really sure you know what you’re doing…then you can use -all.

What does the standard say?

SPF records let the world know who is authorized to send email on your behalf. Specifically, it is a technical method to prevent sender address forgery.  It allows the owner of a domain to specify the mail servers they use to send mail.  Get this record right, and you’re in good shape with the ISPs.  Mess it up, and you’ll likely end up in the spam folder.

The all command tells mail servers what to do with everything that isn’t sent from a mail server that is listed earlier in your SPF record.

The options and their interpretations are:

  • -all Fail: All mail servers not listed in the SPF record are explicitly not authorized to send mail using the sender’s domain.
  • ~all Soft Fail: All mail servers not listed in the SPF record are not authorized to send mail using the sender’s domain, but the owner of the domain is unwilling to make a strong assertion to that effect.
  • ?all Neutral: The domain controller cannot or does not want to assert whether or not all mail servers not listed in the SPF record are authorized to send mail using the sender’s domain.
  • +all Pass: All mail servers are authorized to send mail on behalf of the sender’s domain.

For example, v=spf1 include:sendgrid.net -all means that email from SendGrid will pass SPF validation, but all other email servers are explicitly not authorized.

Everything past the all is ignored. If you don’t end with one of those options, then ?all is assumed.

What do people actually do?

We looked at the SPF records for the top 500,000 sites, as rated by Alexa. Of those, 205,043 had the phrase v=spf1 in their TXT or SPF Type 99 records, meaning they had an SPF record (though many were not valid). 97% of the SPF records ended with some variation of all. Here is a breakdown of the results:

SPF_all

Only the first five are valid (all maps to +all, according to the standard).

In fact, probably only the first three should be considered valid SPF records, as +all means that anyone is authorized to send email from your domain. This is much worse than having no SPF record at all! The folks who wrote the standard have this to say about using +all: “The domain owner thinks that SPF is useless and/or doesn’t care.”

What is the worst mistake I can make?

If you just use all, then +all is assumed, meaning that everybody is authorized to send email from your domain!

We saw hundreds of domains that had ~ all rather than ~all. Those show as all in the table. This accidental space between the tilde and the all changes the meaning from the intended “soft fail all email from domains or IPs not listed in the SPF record” to “pass all email”. Oops.

How can I check my record?

Fill out the automated SPF record check form, and we will make sure your SPF record is correct and that the email you sent passes the validation check.

Comments

comments