Soft-fail vs Hard-fail SPF + Monitor vs Reject+Strict DMARC, could it be counterproductive?

Question

I have a ProtonMail premium plan with one custom domain and a single email address. My domain DNS is protected with DNSSEC.

What caught my eye were two things they recommended in the domain setup:

---

1. Soft-fail SPF (Sender Policy Framework - wiki) (~all):

   • Recommendation:

     v=spf1 include:_spf.protonmail.ch mx ~all

   • My setting (Hard-fail):

     v=spf1 include:_spf.protonmail.ch mx -all

2. Monitor DMARC (Domain-based Message Authentication, Reporting and Conformance - wiki) (p=none)

   • Recommendation:

     v=DMARC1; p=none; rua=mailto:address@yourdomain.com

   • My setting (Reject + Strict):

     v=DMARC1; p=reject; adkim=s; aspf=s

---

Is there even a point of setting a Soft-fail SPF instead of Hard-fail; why would anyone recommend this, and is there a situation where Hard-fail is counterproductive? The very same question I have for Monitor DMARC instead of Reject + Strict.

---

Note for completeness:

I have DKIM (DomainKeys Identified Mail - wiki) also.

---

Result of https://www.mail-tester.com

Answer 1

... is there a situation where Hard-fail is counterproductive

Some mail servers actually reject mails on SPF Fail. Given that SPF has known trouble with mail forwarding services and some mailing list this might lead to loss of mails.

For use with DMARC it actually does not matter if SPF is Fail or Soft-Fail. All what matters is if SPF is Pass and this result is the same for both kinds of policies.

The very same question I have for Monitor DMARC instead of Reject + Strict.

DMARC depends on SPF and/or DKIM, i.e. at least one of these must be fine and must have the domain aligned with the From field of the mail header. If you don't have a DKIM policy it thus all hangs on SPF which as I said has its inherent problems. While DKIM is more robust in this regard it can fail too, for example if the mails gets transformed during transport from 8bit to some ASCII encoding (base64, quoted-printable) due to missing support for 8BITMIME in one of the MTA on the way.

Therefore, the recommend setting is to actually start with none, monitor for a while if problems occur and if no problems occur move to reject or quarantine.