I tried to configure/authenticate my domain DNS with email marketing services. To authenticate SPF I need to add some code.
I want to use various services and in the TXT instructions they provide, at the end, some use -all, others ~all, and some ?all.
For example:
v=spf1 include:spf.mailjet.com include:spf.sendinblue.com mx ~all
I wonder if two such records are mutually exclusive and what are the differences of ?all, -all and ~all?
The
allmechanism is the last one listed in an SPF record, and tells a checker what to do if no other mechanisms have matched the incoming IP.-allmeans the default result is a hard failure,~allmeans "softfail", means to convey that it's not a pass, but not a hard rejection either (perhaps an indication you should put it in a spam folder - though that should be DMARC's decision).?allmeans it's "neutral", which is the same as not having anything at all.When a service like that recommends
?all, they are being super-conservative and don't want to add any kind of risk - it's a "fail safe" option, providing minimum disruption, but also no protection. I'd say this is counterproductive and simply ends up letting forgeries happen, defeating the whole point of using SPF at all. See my own service's recommendations."The right way" is to use a
~alldefault, and to configure your DMARC record to require both DKIM and SPF "pass" results. There is a historical reason for this: early SPF filter implementations would stop email processing altogether if they encountered a-all, and DMARC processing would not get a chance to do its thing, so it is safer to give a softfail, and then have DMARC consider that a failure.In short, if you're not using DMARC, aim for
-all, if you are, use~all.