I have a ProtonMail premium plan with one custom domain and a single email address. My domain DNS is protected with DNSSEC.
What caught my eye were two things they recommended in the domain setup:
Soft-fail SPF (Sender Policy Framework - wiki) (
~all
):Recommendation:
v=spf1 include:_spf.protonmail.ch mx
~all
My setting (Hard-fail):
v=spf1 include:_spf.protonmail.ch mx
-all
Monitor DMARC (Domain-based Message Authentication, Reporting and Conformance - wiki) (
p=none
)Recommendation:
v=DMARC1;
p=none;
rua=mailto:address@yourdomain.com
My setting (Reject + Strict):
v=DMARC1;
p=reject; adkim=s; aspf=s
Is there even a point of setting a Soft-fail SPF instead of Hard-fail; why would anyone recommend this, and is there a situation where Hard-fail is counterproductive? The very same question I have for Monitor DMARC instead of Reject + Strict.
Note for completeness:
I have DKIM (DomainKeys Identified Mail - wiki) also.
Result of https://www.mail-tester.com