0

so I've already disabled error checking for SPF Records after my inital question here: Does error checking for SPF Records make sense?

Unfortunately I still have about 2-10 Companies daily who can't send us emails because their SPF Record has missing IP Adresses, missing includes, etc. etc.

I'm really getting fed up on looking through our logs, searching for all addresses we're receiving Mails from so I can tell those companies how a proper SPF Record would look like for them. I mean they mostly don't even freakin know where their Mails come from...

So all in all, does it even makes sense to check for SPF Records if most of your Customers have SPF Records but they don't abide by them?

architekt
  • 986
  • 1
  • 7
  • 18

1 Answers1

1

So all in all, does it even makes sense to check for SPF Records if most of your Customers have SPF Records but they don't abide by them?

If you work in an environment where most SPF records are broken then it makes of course no sense to care about SPF. This is not specific to SPF: if you know that most of the information you get are wrong you cannot rely on these information in the first place.

But, this kind of broken setup seems to be specific for your environment. At least in the environments I've encountered SPF works mostly fine. It might break though if mails gets redistributed, for example by mailing lists. It might thus be better to not only rely on SPF but additionally on DKIM which is not affected by the redistribution problem (but by others). This is also what DMARC does, i.e. needs only either SPF or DKIM to succeed.

... who can't send us emails because their SPF Record has missing IP Adresses, missing includes, etc. etc.

SPF is usually not used to deny all mails with SPF Fail. Instead SPF information are commonly used as one of several parts in the spam detection. And, the mail will usually not be rejected but at most marked as potential spam. Explicit rejection is usually only done when there is a DMARC record on the senders domain with an explicit reject policy.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • I'm quite "shocked" to say at least too that there are so many problems with this. For example I had 4 (!) companies yesterday that outsourced their mail to google and simply did not change their SPF Record. I'm getting massive heat from Managment because customers can't send us emails and I can't get through to them that this is not my fault but rather the total incompentence of others... I highly doubt that those people made correct DMARC/DKIM settings if they can't even do basic stuff like knowing where their mails get routed – architekt Aug 22 '18 at 07:09
  • So in short, the solution is just to flag it as SPAM but not reject it? – architekt Aug 22 '18 at 07:26
  • @MartinFischer: yes, this is what most do. – Steffen Ullrich Aug 22 '18 at 08:14