What is SPF Softfail?

What is SPF Softfail?

Preface

SPF softfail is the status result of an email whose sender’s IP address is not probably added to the list updated on DNS. This means that the domain administrator has not published clear and definitive restrictions on who all can send emails using the domain. DMARC results can show it as a pass or fail, based on the DMARC policy set by you. 

email security

What is SPF and How Does it Work?

Before jumping onto learning what SPF softfail is, let’s quickly recall what SPF is.

SPF is short for Sender Policy Framework, an email authentication protocol that allows only explicitly mentioned IP addresses or servers to send emails using a specific domain. This exercise effectively prevents phishing and spoofing attacks attempted in your company’s name. 

email security

SPF works using a TXT SPF record that enlists all the IP addresses and servers you identify as legitimate to send emails using your domain name. Then, the recipient’s mail server performs a DNS lookup to determine whether the sender’s IP address is part of the list or not. If yes, the authentication check passes, if not, it fails, and the email doesn’t reach their inboxes or is marked as spam

What Does SPF Failure Mean?

As per the definition, an email experiences an SPF failure when its sender’s IP address isn’t part of the list updated on DNS. Such email senders are perceived as spammers or phishers. An SPF failure leads to SPF soft fail or a hardfail.

 

What is SPF Softfail?

A softfail SPF means the sender’s IP address isn’t probably authorized. If you have added an ~all mechanism to your SPF record, you will see SPF soft fail status for all the emails failing verification checks.

 

SPF Soft Fail Example

v=spf1 include:spf.example.outlook.com ~all

In this example, the tilde sign (~) next to ‘all ‘ represents a softfail SPF for IP addresses not mentioned in the TXT record. This instructs receiving mail servers to allow such emails, but they must be tagged as spam or suspicious.

office 365 tenant to tenant migration

What is SPF Hardfail?

SPF hardfail is formally termed a fail in RFC7208. If an email receives SPF hardfail as a status, it means that its sender’s email address is explicitly not permitted to send emails using the domain. It instructs recipients’ servers to reject all emails failing SPF checks outrightly. 

You need to add an -all mechanism to your SPF record to ensure only emails sent by authorized entities land in recipients’ inboxes. Any fraudulent servers will trigger SPF to fail, and the email messages can be discarded altogether.

 

SPF Hardfail Example

v=spf1 ip4:196.178.0.2 -all

In this example,  the minus sign (-) next to ‘all’ represents hardfail, meaning emails from senders outside the list should be rejected. Here, only the IP address 196.178.0.2 is authorized to send emails.

office 365 tenant to tenant migration

SPF Softfail Or Hardfail?

You need to understand a few concepts to understand which one is better. 

What is SPF Relaying?

Relaying is an SMTP service that basically relays all incoming emails to a different domain belonging to the same company. Say, for example, emails from company-2022.com may automatically be relayed to company-2023.com.

This may seem harmless initially, but if we dig deeper, you will understand why it is an issue for SPF deployment. So, once an email is relayed, the SMTP service has an IP address that will likely not match the SPF policy. This results in SPF failure for genuine emails as well if you have set your SPF to hardfail. 

Moreover, relaying occurs at the receiver’s end, and there’s no way you can handle it.

 

Why is SPF Hardfail an Issue?

SPF hardfail occurs at the SMTP level; so, if an email bounces at the SMTP level due to a hardfail, the receiver’s server doesn’t perform further checks, due to which DKIM and DMARC verification drill gets ignored. 

So, with SPF hardfail, a genuine and DKIM-authorized email can get rejected if it was relayed. That’s why the use of SPF hardfail should be done cautiously. 

 

Does Softfail Keep Your Domain Less Protected?

Irrespective of choosing SPF soft fail or hard fail, SPF alone cannot fully protect you against phishing, spamming, and other email-based attacks. You must combine it with DKIM and DMARC for enhanced cybersecurity

But this does not mean you should overlook SPF; it’s flawed but not deprecated. Your domain also requires it for legacy or otherwise poorly configured email systems that do not support DKIM and/or DMARC.

 

office 365 tenant to tenant migration

How to Switch From Softfail to Hardfail?

Now that you know what is SPF softfail, let’s see how you can switch to its harder version.

Start by collating an extensive list of IP addresses authorized to send emails using your domain. Then, add the updated list to your DNS record and use the hardfail mechanism next to them, i.e., all.

It’s recommended to provide a defense SPF record for parked domains as well to prevent SPF failure for genuine emails and phishing attacks. This should be followed by setting a DMARC policy that best meets your email authentication expectations. 

 

It’s a Wrap

An SPF failure occurs when the sender’s IP address does not belong to the TXT record updated on the DNS. SPF failure is of two types; SPF softfail (~all) and SPF hardfail (-all).

SPF soft fail instructs receiving mail servers to allow unauthorized emails, but they must be tagged as spam or suspicious. While on the other hand, SPF hardfail commands to outrightly reject such emails. However, on setting the TXT record to SPF hardfail, sometimes genuine emails can also get rejected due to SMTP relaying, which can be problematic. 

Therefore you must consider both mechanisms’ pros and cons before deciding which one you want to go for.

office 365 tenant to tenant migration

Pin It on Pinterest