SPF – what is the difference between ~all and -all?

SPF is a very important tool for preventing unauthorized email sending, which was described in this article: SPF and DKIM – spam protection

This article presents a rather significant difference in the settings of this record: the difference between the ~all and -all parameters.

~all (soft fali)

The ~all parameter is less restrictive. When using this parameter, most mail servers receiving emails from a server not listed in the SPF protection settings will consider the message as spam and may reject it (but are not required to). It indicates that the servers listed in the SPF record are preferred, but if the message comes from another server, the receiving server should accept it but mark it as suspicious (e.g., tag it as spam). This is a more flexible policy that allows the message to be accepted but signals that something might be wrong.

Example:

The domain @example.com has a correctly configured SPF record, which lists the IP address of the server authorized to send emails from the domain @example.com. The SPF record ends with the designation: ~all.

An email is sent from example@example.com via an unauthorized mail server (i.e., from an IP address other than the one listed in the SPF record) to example@other-example.com. In this case, the recipient’s mail server decides whether to accept or reject the message (depending on provider internal settings). Based on the ~all designation, the email will most likely be accepted but treated as “suspicious” and placed in the spam folder.

-all (hard fail)

The -all parameter is more restrictive, providing greater protection for email correspondence against the sending of unauthorized messages. When this parameter is used in the SPF record, the receiving mail server will reject any message sent from an unauthorized IP address. It indicates that only the servers listed in the SPF record are authorized to send emails from this domain. If an email comes from a server not listed in the SPF record, it should be rejected by the receiving server or marked as spam.

Example:

The domain @example.com has a correctly configured SPF record, which lists the IP address of the server authorized to send emails from the domain @example.com. The SPF record ends with the designation:
-all.

An email is sent from example@example.com via an unauthorized mail server (i.e., from an IP address other than the one listed in the SPF record) to example@other-example.com. In this case, the recipient’s mail server, based on the -all setting, will reject the email.

Recommendations for Using SPF -all

For your own security, it is advisable to use the -all parameter to better protect yourself against the possibility of email spoofing within your domain and the sending of unauthorized emails from your domain.

These recommendations are also provided by the Computer Emergency Response Team in CERT Poland, which performs the duties of CSIRT NASK as required by the Act of July 5, 2018, on the national cybersecurity system.

CERT recommends:

The SPF (Sender Policy Framework) record may contain the directive “~all.” This is not an error (especially when DKIM and DMARC are also correctly configured), but we recommend analyzing the record and, if possible, changing it to include the directive “-all” (hard fail).

You can read more about configuring the SPF record and email security in cPanel: How to Add a New Entry.

Emilia
Latest posts by Emilia (see all)