SPF: -all or ~all Choose the Right Authentication


What is SPF?

Sender policy framework is an authentication process that ties the 5321.from (also known as the mail from, an envelope from or return path) to authorized sending IP addresses. This authorization is published in a TXT record in DNS. Receivers can check SPF at the beginning of an SMTP transaction, compare the 5321. from domain to the connecting IP address and determine if that IP is authorized to transmit mail.

What does an SPF record look like?

At its simplest, the SPF TXT record contains a version indicator, allowed IPs and an authorization type.

In the example “v=spf1 ip4: -all”:

  • v=spf1 is the version indicator
  • is the allowed sending IP
  • -all means only this IP is authorized to send mail for the domain.

Of course, there are other ways to define authorized IP addresses. Using “v=spf1 mx -all” authorizes any IP that is also an MX for the sending domain. Other SPF records can be included using the include: command; for instance, include:_spf.google.com includes Google’s SPF record. IPs can be in either IPv4 space or IPv6 space by using either the ip4 or ip6 qualifiers: “v=spf1 ip4: ip6:2001:db8:8:4::2 -all”. SPF records can also contain IP ranges in the form “v=spf1 ip4: -all”.

Domain owners are also allowed to publish different types of authorization.

Statement Result Meaning
+all pass Allow all mail
-all fail Only allow mail that matches one of the parameters (IPv4, MX, etc) in the record
~all softfail Allow mail whether or not it matches the parameters in the record
?all neutral No policy statement

What’s the difference between ~all and -all

Given many receivers are not actively bouncing mail based on SPF pass/fail, there isn’t a strong argument for either -all or ~all in SPF records. For a while, Hotmail was advising that senders who published a -all record would have better delivery. This led to -all became a de-facto standard for a lot of ESPs and bulk senders. More recently, there does not seem to be any benefit to publishing -all even at Hotmail (Outlook.com, live.com, etc).

What should I publish?

I generally recommend publishing ~all records for my clients. There’s not a huge benefit to publishing -all and sometimes mail gets forwarded around. The one time I recommend a -all record is when a domain is getting forged into spam. Domain forgery can cause a lot of bounces. The number of bounces can be bad enough to take down a mail server, particularly those with a small userbase. Many ISPs will check SPF before sending back a bounce and so a -all record can decrease the amount of blowback the domain owner has to deal with.

Do I have to publish SPF records?

No, there is no requirement for publishing SPF in order to send mail. You don’t even need to publish SPF’s to get inbox delivery. Gmail will even do a “best guess SPF” for domains not publishing SPF and authenticate off that. However, large volume senders should be publishing SPF records on principle.

Was this post helpful?


Leave A Comment?

This site uses Akismet to reduce spam. Learn how your comment data is processed.