The Mechanism Of SPF ‘~All’ And How It Is Different From ‘-All’
The SPF syntax incorporates specific mechanisms, such as ‘all,’ ‘ip4,’ ‘ip6,’ ‘a,’ ‘mx,’ ‘ptr,’ ‘exists,’ and ‘include.’ The mechanisms can be prefixed with qualifiers like + (Pass), – (Fail), ~ (SoftFail) and ? (Neutral). As shown below, the SPF ‘~all’ tag that appears at the end is crucial in a typical SPF record example.
v=spf1 ip4:123.45.67.128 ip6:ab4d:2c4e:b35a:da21:5a3d:04ae:e13a:ca43 include:_spf.google.com ~all
The SPF syntax specifies which mail server is authorized to deliver emails on behalf of the domain. The ‘all’ tag is prefixed with the qualifiers’ ~’ (tilde) or ‘–'(hyphen), which declares that ’emails from servers that are not listed aren’t authorized.’ However, there is a difference between the two qualifiers.
SPF ~All
Prefixing the ‘all’ tag using the ‘~’ (tilde) qualifier, in the form ‘~all,’ allows the incoming mail server to treat the email as suspicious, which results in a ‘SoftFail,’ indicating that the host server was not authorized to send the email. The email, in this instance, will be delivered but marked.
SPF -All
Using ‘-all’ is interpreted as any email originating from any server other than those listed in the SPF record will not be delivered to the recipient’s inbox. The action performed by the incoming server is to reject it. The mail server could either discard the email or send a bounce message warning to the sender if configured to do so.
Should An SPF Record Incorporate ‘-All’ Or ‘~All’?
A user may need to consider various scenarios to decide which ‘all’ tag to use in their SPF record.
- While using DMARC, it is safer to use ‘~all’ as the user is protected against fraudsters that make unauthorized use of a domain using the “From” address.
- If in doubt, it is recommended to use ‘~all,’ ensuring all mail servers listed in the SPF record can send an email, and the ones not listed can still be delivered but will be marked.
- If the SPF record is set up perfectly correctly, the use of the ‘-all’ tag is acceptable. Any fraudulent email that does not pass SPF will face rejection.
Using the mechanism of SPF ~all will ensure the clients receive important business emails from an organization while also protecting them from email spoofing and spam. SPF ~all is the best option when combined with techniques like DMARC and DKIM to manage unauthorized emails.
Improperly configured SPF records also lead to emails being dropped. Therefore, it is advisable to use SPF validators to check for an ‘all’ tag, evaluate the whole SPF record, and highlight errors, if any. If there is no SPF record yet, one may consider using an SPF generator to create one for the domain.
Join the thousands of organizations that use DuoCircle
Find out how affordable it is for your organization today and be pleasantly surprised.