Or put another way, is using v=spf1 a mx ~all recommended over using v=spf1 a mx -all? The RFC does not appear to make any recommendations. My preference has always been to use FAIL, which causes problems to become apparent immediately. I find that with SOFTFAIL, incorrectly configured SPF records are allowed to persist indefinitely, since no one notices.
All of the examples I have seen online, however, seem to use SOFTFAIL. What made me question my choice was when I saw the Google Apps instructions for configuring SPF:
Create a TXT record containing this text: v=spf1
include:_spf.google.com ~allPublishing an SPF record that uses -all instead of ~all may result in
delivery problems. See Google IP address ranges for details about the
addresses for the Google Apps mail servers.
Are the examples being overly cautious by pushing the use of SOFTFAIL? Are there good reasons that make the use of SOFTFAIL a best practice?
Best Answer
Well, it was certainly not the intent of the specification for it to be used instead - softfail is intended as a transition mechanism, where you can have the messages marked without rejecting them outright.
As you've found, failing messages outright tends to cause problems; some legitimate services, for example, will spoof your domain's addresses in order to send mail on behalf of your users.
Because of this, the less draconian softfail is recommended in a lot of cases as a less-painful way to still get a lot of the help that SPF offers, without some of the headaches; recipient's spam filters can still take the softfail as a strong hint that a message may be spam (which many do).
If you're confident that no message should ever come from a node other than what you've specified, then by all means, use fail as the SPF standard intended.. but as you've observed, softfail has definitely grown beyond its intended use.