0

I thought that ?all in SPF should not be used.

Then I examinated SPF records of some local email provider companies and I found this:

v=spf1 mx ip4:77.75.78.0/23 ip4:77.75.76.0/23 ip6:2a02:598::/32 ?all`

Isn't this basically saying to mark failed SPF as Neutral, therefore letting basically everyone to send emails on behalf of that domain ?

Their DMARC is set like this:

v=DMARC1; p=none; rua=mailto:abuse@seznam.cz

Again, isn't this saying to do nothing when DMARC fails ?

Then there is the company I'm working in. Their's SPF record is like this:

v=spf1 mx a:xxx.xxx.xxx a:xxx2.xxx.xxx include:protection.outlook.com include:spf.xxx.xxx ?all

Do the include's overwrite the final ?all ? Again, doesn't this say to mark everything as Neutral ?

What's the actual use case of ?all in SPF records ?

Bear Black
  • 1
  • Does this answer your question? [SPF fail vs. soft-fail pros and cons](https://serverfault.com/questions/933705/spf-fail-vs-soft-fail-pros-and-cons) – sebix Oct 29 '21 at 17:39

1 Answers1

2

In principle you are right, a SPF softfail was intended to be a temporary setting for just testing of the setup. After testing it was recommented to be changed into the hard fail mode, where record is set to end with -all.

But it seems everybody is frigthened to lose some spam or simply are not self confident. Many people chose to leave it in the softfail setting.

The same seems to be with DMARC. The policy none does nothing. If you want your DMARC to be really effective, use reject or quarantine policy. Then compliant servers will refuse to accept and deliver a mail which claims to be from your domain but in reality it is not yours.

To some extent this is alleviated with the fact there are sophisticated spam filters, which still consider SPF and DMARC results and pessimize the score of mail which failed the tests. SPF softfail and others are considered together with body statistical analysis, blacklist quieries and so on, and together they tend to lower the score of spam so severely so it nevertheless is getting into a spam, or, conversely, correct SPF and/or DKIM depessimizes innocent mails, making them to look less spammy. So even DMARC p=none and SPF ~all or ?all still are doing some good, by increasing the "innocence" of good mail instead of pessimizing "bad" ones.

Nikita Kipriyanov
  • 8,033
  • 1
  • 21
  • 39
  • And what about ?all instead of ~all ? The settings in the mail provider and my company contains ?all not ~all – Bear Black Oct 29 '21 at 14:35
  • The exact receiving system behaviour depends on its setting. I know my systems add zero score in this case, i.e. they register it as "we checked". Others may configure their other way. Read my last paragraph, it explains how it could help innocent mail even with this setting. – Nikita Kipriyanov Oct 29 '21 at 14:38
  • Yes, I understand. In my company, I can spoof a email of every employee without getting flagged as spam. So that is bad behaviour of the spam filter system ? – Bear Black Oct 29 '21 at 14:49
  • 1
    In general, I'd consider this as a mail system deficiency. But which component to blame is not very clear. Maybe not a spam filter, but rather a submission service (the one which receives mail from mail clients, checks usernames and passwords). – Nikita Kipriyanov Oct 29 '21 at 18:47