Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I think it's pretty weak they're advertising the use of "~all" in their spf records. Either use "-all" or just don't use SPF I would say. If you can't make a decisive statement about your own domain then it won't be actionable for receivers that evaluate your records.


If you use DMARC with a reject or quarantine policy, SPF hardfail ("-all") can prevent recipients from successfully forwarding mail you've sent them.

Some best practices for DKIM, SPF, and DMARC (as of mid-2015) in [1], including this:

> ...when an organization publishes p=reject [in DMARC], they should simultaneously change their SPF hard fail to SPF soft fail. ... A message that passes SPF and is forwarded will fail SPF. If a message hard fails SPF it will probably be marked as spam but if it soft fails, it will most likely still be accepted by the recipient. This forwarding failure possibility is why most organizations publish a soft fail record.

[1]: https://blogs.msdn.microsoft.com/tzink/2015/07/12/what-is-th...


Interesting note about DMARC, but still, if you're concerned about breaking forwarding for your domain, then why bother using spf at all? I still don't see the benefit of setting up ~all rules.


I believe that DMARC requires SPF. Since I want DMARC, I need to provide a compatible SPF, which means ~all.

(And I do want to implement DMARC. Not so much to improve deliverability of my own email, but rather to prevent delivery of malicious email pretending to be from my domain.)


Ok, just wondering, would "v=spf1 ?all" be the same in that case? I.e. a neutral spf policy?


Google specifically says[0]:

Create a TXT record containing this text: v=spf1 include:_spf.google.com ~all

Publishing an SPF record that uses -all instead of ~all may result in delivery problems. See Google IP address ranges for details about the addresses for the Google Apps mail servers.

[0]: https://support.google.com/a/answer/178723?hl=en


-all isn't necessarily a slam dunk because it interacts badly with lots of mailing lists. There is standards work underway to improve this, but it's still an issue, for example https://www.ietf.org/mail-archive/web/ietf/current/msg87153....


That's a totally fair point. I'm not entirely sure why most third parties are still using ~ in their documentation but it still seems to be the norm. I do like the definitive nature of -all.


IIRC ~all is the recommendation because hotmail/live told people to use ~all to prevent hardfails when hotmail's lookups timed out or if a particular mailserver IP was inaccessible during spam checks.

~all will result in your email being bounced around until accepted even if the IP doesn't match DNS records (more or less).

-all will result in hardfail if rejected by any TO mailserver.




Consider applying for YC's Summer 2026 batch! Applications are open till May 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: