Sender Policy Framework, or SPF, is the oldest of the common email authentication protocols, a group that also includes DKIM and DMARC. A domain’s SPF record as published in the DNS lists the servers and networks authorized to send mail messages using that domain as the Return-Path, or “bounce” domain. However, SPF is not a binary decision where every message generates either a pass or fail verdict; there are nuances to the failure mode in SPF, and how a domain constructs its SPF record can have quite an impact on how failures are handled.
The “all” Mechanism
Every SPF record includes the “all” mechanism, which serves as a default match for anything not listed in the SPF record. The “all” mechanism is expressed with one of the following qualifiers, each of which causes the evaluation result shown:
"+" pass
"-" fail
"~" softfail
"?" neutral
For example, a domain that includes “+all” in its SPF record will always receive an SPF result of pass for every message, regardless of whether or not it was actually sent by or on behalf of the domain.
The Difference Between “fail” and “softfail”
According to RFC 7208, the SPF specification, a “fail” result (often called a “hard fail”) means that the domain is explicitly saying that the host is not authorized to send mail using this domain, while a “softfail” is a weaker statement saying only that the host is probably not authorized. The two can be treated differently by receiving domains, especially older mail systems; a “hardfail” result sometimes means immediate rejection of the message, while a “softfail” rarely causes a bounce by itself (although it can contribute to a decision to deliver the message to a spam folder or reject it outright).
SPF and DMARC
DMARC is an authentication technology that relies on both SPF and DKIM, requiring only that one of the two evaluations generate a passing result (along with domain alignment) in order for the DMARC validation check to pass. DMARC makes no distinction between an SPF softfail and an SPF hardfail; both are SPF failures when used in a DMARC evaluation. However, in order for DMARC to be properly evaluated, both SPF and DKIM must be checked for the message at hand, something that is impossible to do if the message is rejected by the receiver due to an SPF hardfail.
M3AAWG, an email anti-abuse organization of which Valimail is a proud member, recommends in its Email Authentication Best Practices document that when a receiving domain is doing DMARC validation, a DMARC pass should override any SPF “fail” except in the specific case where a domain’s SPF record indicates that it sends no mail (“v=spf1 -all”). The recommendation means that no message should be rejected due solely to SPF hardfail, but unfortunately, not all domains follow this best practice. This means that use of the “-all” mechanism puts a domain’s legitimate mail at higher risk of rejection than does “~all”, and so Valimail recommends that all of its customers use “~all” in their SPF records in order to ensure that each valid message is given the full opportunity to receive a DMARC pass verdict.