I try to configure/authenticate my domain DNS with email marketing services. To authenticate SPF I should add some code.
I want to use various services and in the TXT they provide, at the end, some use "-all" others "~all" and some "?all"
like: v=spf1 include:spf.mailjet.com include:spf.sendinblue.com mx ~all
I wonder if two such records are mutually exclusive and what are the differences of ?all -all and ~all
The all mechanism is the last one listed in an SPF record, and tells a checker what to do if no other mechanisms have matched the incoming IP. -all means the default result is a hard failure, ~all means "softfail", means to convey that it's not a pass, but not a hard rejection either (perhaps an indication you should put it in a spam folder - though that should be DMARC's decision). ?all means it's "neutral", which is the same as not having anything at all.
When a service like that recommends ?all, they are being super-conservative and don't want to add any kind of risk - it's a "fail safe" option, providing minimum disruption, but also no protection. I'd say this is counterproductive and simply ends up letting forgeries happen, defeating the whole point of using SPF at all. See my own service's recommendations.
"The right way" is to use a ~all default, and to configure your DMARC record to require both DKIM and SPF "pass" results. There is a historical reason for this: early SPF filter implementations would stop email processing altogether if they encountered a -all, and DMARC processing would not get a chance to do its thing, so it is safer to give a softfail, and then have DMARC consider that a failure.
In short, if you're not using DMARC, aim for -all, if you are, use ~all.
Related
I'm inheriting a site that came with multiple SPF records in multiple TXT records (which all of my searching up until this point has informed me is about as invalid as you can get).
Here are the records I'm working with:
Record 1: v=spf1 include:servers.mcsv.net ?all
Record 2: v=spf1 include:zoho.com ~all
Record 1 appears to be a Mailchimp record. I'm not sure if the client is using Mailchimp or not. Record 2 is obviously from Zoho, but I know for sure the client is using Zoho. Ideally, I'd like to combine these two records into one.
Both records provide a slightly different all value. Record 1 gives me ?all, and Record 2 gives me ~all. If I understand the syntax correctly, ~all should be slightly more restrictive than ?all, and I can have only one all value, which must come last in the record.
If they had the exact same all value, I could just do something like this:
v=spf1 include:servers.mcsv.net include:zoho.com ?all
If I combine the records, I'm not sure which all value I should use or why. If I set one record to start with v=spf2, I'm not sure the service will verify the record. I've been searching and haven't found any resources that touch on combining multiple SPF records that have different all values. What should I do here?
Thanks
An appropriate combination of these two would be:
v=spf1 include:servers.mcsv.net include:zoho.com ~all
?all is essentially useless - it's pretty much equivalent to not having an SPF record at all.
That's not all though - this record looks incomplete. Unless you domain only sends from mailchimp and zoho, all other mail will get a softfail response, so if you send "normal" mail from this domain using its own mail server, you probably want to add at least mx, and if you send any mail directly from the domain's web site, you would want an a mechanism too, giving:
v=spf1 mx a include:servers.mcsv.net include:zoho.com ~all
DMARC is an important factor, as #lgc_ustc said. If you're not using DMARC, I would recommend setting -all as your default mechanism to get maximum benefit from SPF, but if you are using DMARC, leave it as ~all. This is because some SPF checkers encountering a -all will reject messages immediately, rather than letting them be passed on to the DMARC layer, where a sender can be told what to do with a rejected message.
If I set one record to start with v=spf2, I'm not sure the service will verify the record.
There can be only one SPF record on any domain. If more than one SPF record are set, SPF will return PermError. See: RFC 7208
Also, all SPF records must start with "v=spf1", everything else is invalid.
?all means neutral in SPF. SPF neutral can be interpreted in DMARC as either pass or fail, depending on how you set up DMARC on your email server. This is normally controlled by a flag in your DMARC setup, and it varies across DMARC packages. If you use OpenDMARC by Trusted Domain, SPF neutral is interpreted in DMARC as fail by default.
~all means softfail in SPF. SPF softfail is a weak statement that the host is probably not authorized. The domain has not published a stronger, more definitive policy that results in a "fail". This is typically implemented by appending a ~all mechanism to an SPF record. When this mechanism is evaluated, any IP address will cause SPF to return a softfail result.
Like neutral, SPF softfail can be interpreted in DMARC as either pass or fail, depending on how you set up DMARC on your email server. In OpenDMARC, SPF softfail is interpreted in DMARC as fail by default.
Learn more in this post: Why SPF Authentication Fails: none, neutral, fail(hard fail), soft fail, temperror, and permerror Explained
I have a forwarding domain (forwardingdomain.org > actual-website.org) for which I have email forwarders set up. To reduce spamming/spoofing of my email forwarders, I would like to set up a correct SPF TXT record in the domain’s DNS.
I have an SPF TXT record set up in the DNS, however, recently I’ve received scam/ransomware/spam emails that appear to be coming from email forwarders of the forwarding domain. So, that SPF record may not be working. I’ve successfully set up SPF TXT record for domains that have a website associated with them (i.e., I can use a server IP in the SPF record). For this domain, however, since it’s forwarding, it’s not clear what IP I should use.
Here’s the current SPF record (I don’t remember adding this myself; it may have gotten generated by itself):
Type: TXT
Host: #
Value: v=spf1 a mx include:sendgrid.net ~all
Expected result: No more scam/spam/ransomware emails should be coming in that appear as if they were sent from my email forwarders.
Actual result: Scam/spam/ransomware emails are coming in, appearing to be sent from my email forwarders.
Firstly I would recommend adding an include mechanism to pull in IPs from your forwarding domain.
Next, you have a ~all default mechanism, which means that forged messages will not be rejected, just marked as non-compliant (softfail). This is the correct setting if you are still testing your configuration or you are using DMARC.
With DMARC, the softfail can be turned into a full rejection, and this is generally considered better than using -all because it retains DMARC’s other semantics.
I am in the process of migrating our staff's email client from Window's Live Mail to Gmail. I have gone through the process of connecting each staff's email from our domain to their respective Gmail accounts (so each staff has two valid email addresses, e.g. bob.our_domain#gmail.com and bob#our_domain.com). I am able to receive and send mail from the linked account, but emails sent from bob#our_domain.com are tagged with an alarming red question mark and read "Gmail could not verify that our_domain.com actually sent this message (and not a spammer) ". I understand that this is an error with SPF configuration but for the life of me cannot figure out what the correct configuration looks like.
The domain in questions is evergreensupplyonline.com.
Step 1 - Ensure SPF is enabled.
Our server is managed through cPanel, so I navigate to the authentication tab and enable both DKIM and SPF. The default SPF record is
v=spf1 +a +mx +ip4:166.62.38.87 ~all
Sending email with this configuration generates the error: SOFTFAIL with IP 208.109.80.60. Seems reasonable enough, the IP isn't listed and the ~all specifies a soft fail for unknown IPs (as far as I am aware)
Step 2 - Add the sender's IP to the SPF record
I add 208.109.80.60 to the record and my SPF record becomes
v=spf1 +a +mx +ip4:166.62.38.87 +ip4:208.109.80.60 ~all
Sending email with this configuration still generates a SOFTFAIL error but with a different IP (208.109.80.60). Based on this change I assume I won't be able to add a static IP for all of google's mail servers - not too much of a surprise.
Step 3 - Add Google's _spf domain
Following the instructions from https://support.google.com/a/answer/33786?hl=en
I removed 208.109.80.60 and instead include _spf.google.com domain. My SPF record now looks like
v=spf1 +a +mx +ip4:166.62.38.87 +include:_spf.google.com ~all
If I run my domain through https://toolbox.googleapps.com/apps/checkmx/ I get some some non-critical errors but everything relating to the _spf.google.com domain seems to check out. If I send an email with this configuration I still get a SOFTFAIL error.
I'm not sure where to go from here - I've tried all that my preliminary understanding of SPF will permit. Any suggestions, observations, or tricks are greatly welcomed. Cheers,
This does all look correct, apart from one thing. I looked up both the IPs you mentioned (using whois) and they belong to... GoDaddy, not Google, which entirely explains your problem. It's quite likely that GoDaddy is redirecting your outbound email traffic since they don't allow direct SMTP sending, so you may need to add GoDaddy's SPF as well, or move to a more enlightened hosting provider.
A minor thing: put the ip4 mechanism first as it's fastest to match for receivers (it requires no extra lookups), and you don't need the + qualifiers because that's the default action.
Right now, I'd like to use zoho mail for manual mailing from my domain and PHPMail from my server to handle automated messages.
Problem is, when my server sends out an email it hits spam filter. I get the following error:
deemstars#server.deemstars.com does not designate permitted sender hosts) smtp.mail=deemstars#server.deemstars.com
My txt record is the following (I Use Cloudflare):
v=spf1 mx ptr ip4:207.244.68.190 a:server.deemstars.com include:zoho.com ?all
207.244.68.190 being my server IP. I also added multiple domains to the txt record to make sure it gets whitelisted. I also included zoho.com, which zohomail sends an email out just fine with no spam filter, and it doesn't get the "not permitted sender" error.
So I think the problem is that your return path address has a domain of server.deemstars.com and your SPF record is defined only on the apex domain. SPF does not check parent domains.
So add the following record to server.deemstars.com
v=spf1 ip4:207.244.68.190 a:server.deemstars.com include:zoho.com mx ptr ?all
and see if that addresses the issue. I've also rearranged the SPF directives to move the cheaper to evaluate, more likely to match ones to the front.
I'm setting it as: v=spf1 a mx ip4:xx.xxx.xx.xxx a -mx -all
it's right?
Thanks.
How you should configure your SPF record depends on what servers you want to allow to send emails on your behalf. However, your example SPF record contains a contradition. You are specifying both mx and -mx, meaning you want to both pass and fail if the IP matches an IP address found in the domain's MX records. You should remove whichever mechanism does not apply.
Without knowing your exact needs it's hard to say exactly what SPF configuration you should use but if I had to take a shot in the dark I would say this is probably a safe bet:
v=spf1 mx a ip4:xx.xxx.xx.xxx ?all
This will pass an email originating form any IP that your domain has an a or mx record for as well as IP address xx.xxx.xx.xxx. It will apply a status of neutral to all others using the ?all mechanism. This allows spam filters more latitude to determine the validity of the email as opposed to a hard fail (-all).
Here are a couple of resource that I think will help you.
SPF Mehanisms Explained
SPF Wizard