Email SPF – Why Does SPF Allow +all?

emailspf

I was looking at how various sites have their SPF records set, and found a site whose SPF record ends with +all.

This seems to be a bad idea, and spf-all says the following about the matter:

+all Pass The email is never a forgery. This option should not be used.

Yet I cannot find anything in the RFC that says this is banned, so it appears to be a valid record.

Is this a valid record? And if so, would most spam filters treat this as an indication to raise the required level of spammyness of a message from this domain before it is treated as spam, or would it simply ignore the record, or count it against the domain?

Best Answer

SPF is defined in RFC 7208.

The "all" keywork is defined as such:

5.1. "all"

all = "all"

The "all" mechanism is a test that always matches. It is used as the rightmost mechanism in a record to provide an explicit default.

For example:
 v=spf1 a mx -all
Mechanisms after "all" will never be tested. Mechanisms listed after "all" MUST be ignored. Any "redirect" modifier (Section 6.1) MUST be ignored when there is an "all" mechanism in the record, regardless of the relative ordering of the terms.

You even have this example:

v=spf1 +all

  -- any <ip> passes

example.com.           SPF  ( "v=spf1 "
                              "-include:ip4._spf.%{d} "
                              "-include:ptr._spf.%{d} "
                              "+all" )
ip4._spf.example.com.  SPF  "v=spf1 -ip4:192.0.2.0/24 +all"
ptr._spf.example.com.  SPF  "v=spf1 -ptr +all"

This example shows how the "-include" mechanism can be useful, how an
SPF record that ends in "+all" can be very restrictive, and the use
of De Morgan's Law.

So +all is useful, and certainly not banned.

As for spam filters, it is difficult to say how they treat it, this is a local policy configuration.

Related Solutions

Why is the SPF Record not working

You might want to suspect the MTA involved.

As far as I can tell, your SPF record is set up correctly. I sent a message to one of my addresses (Gmail) using a sender address from your domain (test@foomatic.net). Gmail does evaluate SPF, but always delivers the message regardless. Here are the headers I got:

Received-SPF: fail (google.com: domain of test@foomatic.net does not designate XXX.XXX.XXX.XXX as permitted sender) client-ip=XXX.XXX.XXX.XXX;
Authentication-Results: mx.google.com; spf=hardfail (google.com: domain of test@foomatic.net does not designate XXX.XXX.XXX.XXX as permitted sender) smtp.mail=test@foomatic.net

My guess is that the servers for yahoo.co.jp aren't evaluating SPF correctly, but I don't have any email address with them, so I can't test it to make sure. Aside from that, you might be running into other MTA's that simply don't respect SPF hardfail, resulting in messages still getting delivered.

SPF problems with Google Apps

Do I need to place that text in quotes ""?

The missing quotes should be the problem indeed, as explained e.g. in Record Types Supported:

Unlike with most other record types, for TXT records the Data field is essentially free-form and may even include spaces. Please note: When entering a string that includes spaces, such as SPF records, you must enclose the string in double quotes; otherwise, individual words will be separately quoted and break up the record into multiple parts.

Here are the records we currently use successfully for Amazon SES as per Authenticating Your Email Address (it's indeed unfortunate that their documentation doesn't address the quoting needs):

"v=spf1 include:amazonses.com ~all"
"spf2.0/pra include:amazonses.com ~all"

Your records should simply look like so accordingly:

"v=spf1 mx ip4:x.x.x.243/32 include:_spf.google.com include:amazonses.com ~all"
"spf2.0/pra mx ip4:x.x.x.243/32 include:_spf.google.com include:amazonses.com ~all"

Best Answer

Related Solutions

Why is the SPF Record not working

SPF problems with Google Apps

Related Topic