What's the point of having an SPF record with a final ~all rule?

Question

Over the past hour, I've been digging into SPF, skimming through RFC-4408, and going over another tutorial.

I own my own domain, with postfix installed on the server behind that domain. Apart from my normal address, I want to also be able to send e-mails using GMail using my own e-mail address as sender.

I do receive quite a lot of bounce-back-spam where spammers have used my e-mail address as "From" line :( From what I understand, SPF is used to check whether a given SMTP server is allowed to send mails with certain sender domain names. Which would help with said bounce-back.

So clearly, If I want to be able to send mails via gmail, I have to allow gmail to send in my name via the SPF record.

Following their help, I added the following TXT record:

v=spf1 include:_spf.google.com ~all

They specifically advise against using -all as fallthrough rule.

Given that ~all is a "soft fail" which still accepts all messages, what's the point of enabling SPF at all?

I tried to send some mails from an external host and they were accepted with the only difference being that my mail-server assumes that there was no SPF record.

Excerpt from the logs when sending via GMail:

May  8 15:15:58 h2150855 policyd-spf[6184]: None; identity=helo; client-ip=300.300.300.300; helo=mail-lf0-f52.google.com; envelope-from=mygmailaddress@gmail.com; receiver=mypersonaladdress@example.com
May  8 15:15:58 h2150855 policyd-spf[6184]: Pass; identity=mailfrom; client-ip=300.300.300.300; helo=mail-lf0-f52.google.com; envelope-from=mygmailaddress@gmail.com; receiver=mypersonaladdress@example.com

... and sending via a third-party server:

May  8 15:19:17 h2150855 policyd-spf[6554]: None; identity=helo; client-ip=301.300.300.300; helo=theserver.example.com; envelope-from=exhuma@theserver.example.com; receiver=mypersonaladdress@example.com
May  8 15:19:17 h2150855 policyd-spf[6554]: None; identity=mailfrom; client-ip=301.300.300.300; helo=theserver.example.com; envelope-from=exhuma@theserver.example.com; receiver=mypersonaladdress@example.com

The only difference I can see is that the postfix SPF plugin marks the gmail message explicitly as Pass, while the other is marked as None.

I am now at the point where I think that adding SPF did not really do anything to my mail-setup and am considering removing it again.

Answer 1

The reason it recommends ~all over -all is because of the way it interacts with DMARC; The recommendation to use -all pre-dates the existence of DMARC. -all is indeed an effective (and correct) setting if you are using SPF alone, but -all will usually break DMARC because its rules will not be evaluated. If you set a ~all default SPF action, it hands-off the decision to the DMARC layer, at which point you can say "we consider SPF softfail to be a hardfail", and go on to reap the other benefits of DMARC.

So, in short ~all is not pointless if you're using DMARC. (?all is always pointless!)

Answer 2

Your best bet is to use ~all only for testing and use -all for production. Even the RFC recommends that:

If domain owners choose to publish SPF records, it is RECOMMENDED that they end in "-all", or redirect to other records that do, so that a definitive determination of authorization can be made.

Some sites will actually reject the e-mail, or direct it to a spam folder, when encountering a soft-fail, but simply forcing a hard fail will improve changes of sites rejecting messages which try to forge your domain as the sender.

Answer 3

~all is interpreted in some DMARC packages like OpenDMARC as fail by default, although you can change a flag so that it's interpreted as pass.

Similarly, ?all is interpreted in OpenDMARC as fail by default.

In contrast, -all is always interpreted as fail, regardless of your DMARC package deployed.

I've written a post that covers this topic: Why SPF Authentication Fails.

It also covers other related concepts including none, neutral, temperror, permerror, etc.