How should I end my SPF record? ~all? -all? +all?

What does the standard say?

SPF records let the world know who is authorized to send email on your behalf. Specifically, it is a technical method to prevent sender address forgery.  It allows the owner of a domain to specify the mail servers they use to send mail.  Get this record right, and you’re in good shape with the ISPs.  Mess it up, and you’ll likely end up in the spam folder.

Theallcommand tells mail servers what to do with everything that isn’t sent from a mail server that is listed earlier in your SPF record.

The options and their interpretations are:

  • -allFail: All mail servers not listed in the SPF record are explicitly not authorized to send mail using the sender’s domain.
  • ~allSoft Fail: All mail servers not listed in the SPF record are not authorized to send mail using the sender’s domain, but the owner of the domain is unwilling to make a strong assertion to that effect.
  • ?allNeutral: The domain controller cannot or does not want to assert whether or not all mail servers not listed in the SPF record are authorized to send mail using the sender’s domain.
  • +allPass: All mail servers are authorized to send mail on behalf of the sender’s domain.

For example,v=spf1 include:sendgrid.net -allmeans that email from SendGrid will pass SPF validation, but all other email servers are explicitly not authorized.

Everything past the all is ignored. If you don’t end with one of those options, then?allis assumed.

What do people actually do?

We looked at the SPF records for the top 500,000 sites, as rated by Alexa. Of those, 205,043 had the phrasev=spf1in their TXT or SPF Type 99 records, meaning they had an SPF record (though many were not valid). 97% of the SPF records ended with some variation ofall. Here is a breakdown of the results:

SPF_all

Only the first five are valid (allmaps to+all, according to the standard).

In fact, probably only the first three should be considered valid SPF records, as+allmeans that anyone is authorized to send email from your domain. This is much worse than having no SPF record at all! The folks who wrote the standard have this to say about using+all: “The domain owner thinks that SPF is useless and/or doesn’t care.”

What is the worst mistake I can make?

If you just useall, then+allis assumed, meaning that everybody is authorized to send email from your domain!

We saw hundreds of domains that had~ allrather than~all. Those show asallin the table. This accidental space between the tilde and the all changes the meaning from the intended “soft fail all email from domains or IPs not listed in the SPF record” to “pass all email”. Oops.

How can I check my record?

Fill out the automated SPF record check form, and we will make sure your SPF record is correct and that the email you sent passes the validation check.