What is SPF - Sender Policy Framework?

SPF Hard Fail Vs Soft Fail

If the SPF record ends in "-all," it indicates that the domain owner has set a strict policy. The recipient's mail server should reject emails that don't come from an IP address listed in the SPF record. This helps prevent unauthorized emails, like those from spoofed addresses, from being delivered.

SPF Hard Fail

Example SPF record with a hard fail:

v=spf1 ip4:192.168.1.1 -all

In the above case, the minus sign (-) before ‘all’ indicates that all emails from senders whose IPs are not listed in the SPF record shall be deemed as ‘Hard Fail,’ i.e., unauthorized, and should be discarded immediately. Mails from the IP address '5:162:178.2.3' only shall be considered legitimate and must be validated.

SPF SoftFail

If the SPF record ends in "~all," it shows that the domain owner has a more lenient policy. The recipient's mail server should label emails that don't come from an IP address listed in the SPF record as "possibly" unauthorized but won't outright reject them. This approach is less strict and is chosen when the domain owner isn't ready to enforce a strict rejection policy yet.

Example SPF record with a soft fail:

v=spf1 ip4:192.168.1.1 ~all

In the above case, the tilde sign (~) indicates that all IP addresses that are not listed on the SPF record created by you shall be considered ‘SoftFail,’ i.e., categorized as ‘SPAM’ or ‘Suspicious’ and would be notified to the recipient. In the above case, the SPF record authorizes the sender SMTP server to send mails. Emails coming from other domain servers other than listed source shall be categorized as SPAM.

Note: The recipient server may not honor the request despite your notification.

In simple terms, a hard fail (-all) policy means that if the SPF check fails, the email should be rejected outright. On the other hand, a soft fail (~all) policy means that the email should be considered potentially suspicious but not automatically rejected.

Dynamic SPF Record

The maximum limit for DNS lookups in SPF records is 10. This means that when a receiving email server checks the SPF record for a sending domain, it will follow up to 10 DNS. If this limit is exceeded, the receiving server might see the SPF record as a PermError, indicating a permanent error in the SPF record syntax or DNS lookup process. IPs that fail or show PermError are displayed in the DMARC RUA Reports of GoDMARC.
To prevent reaching the SPF record lookup limit, it's crucial to ensure that the SPF record stays under the limit of 10. You can easily do this by choosing GoDMARC's Dynamic SPF. GoDMARC continuously monitors, updates, and removes IP addresses whenever changes are noticed in the IP pools or SPF records shared by ESPs.

How does SPF Records looks like and meaning of various Tags

v=spf1 a mx include:_spf.yourdomain.com ip4:192.168.1.1 -all or ~all or +all

v: Defines the SPF record version. It should always be set to "spf1" for SPF version 1. Example: v=spf1

a: Specifies the domain's A record that is authorized to send email.

Example: a:example.com

mx: Specifies that the domain's MX (mail exchange) servers are authorized to send email.

Example: mx

ip4: Specifies an IPv4 address or range of addresses that are authorized to send email.

Example: ip4:192.168.1.1

include: Includes SPF records from another domain. This is useful for including SPF records from third-party services that send email on behalf of your domain.

Example: include:example.com

all: Specifies the default action for emails that do not match any of the preceding mechanisms. It can be set to one of the following:

+all: Pass (accept) all emails, regardless of SPF check result.

-all: Fail (reject) all emails that do not match any other mechanism. This is the most strict setting.

~all: Soft fail. Emails that do not match any other mechanism are marked as suspicious but not rejected. This is less strict than -all.

Example: -all

These are the most common SPF record tags used to define SPF policies. Check your SPF record