Any downside to enabling SPF?

Thor

Thor

Honorary Master
Joined
Jun 5, 2014
Messages
44,413
Reaction score
7,522
Location
Bellville
As per title

I am talking about creating a Sender Policy Framework (SPF) record for your domain yes.
 
Last edited:
deweyzeph said:
Make sure you use ~all and not -all to prevent unforeseen errors.
Click to expand...

Define unforeseen errors?

As I understand it -all means it's strict match so it will fail if it does not match my MX record or IP address of the server

and ~all means it will allow mail whether or not it matches the parameters in the record so practically useless then?

(I am most likely not understanding how this works so please be gentle)
 
Thor187 said:
Define unforeseen errors?

As I understand it -all means it's strict match so it will fail if it does not match my MX record or IP address of the server

and ~all means it will allow mail whether or not it matches the parameters in the record so practically useless then?

(I am most likely not understanding how this works so please be gentle)
Click to expand...

This explains it better than I can:

https://wordtothewise.com/2014/06/authenticating-spf/
 
I need a more real world example

IF I use -all

will the mail still work on outlook, thunderbird, geary and my android phone?
 
Thor187 said:
I need a more real world example

IF I use -all

will the mail still work on outlook, thunderbird, geary and my android phone?
Click to expand...
The spf record doesn't prevent mail going anywhere per se.

It just provides a guide to the servers receiving the email whichsending servers that are allowed to send email on your domains behalf
 
I use -all for my own stuff.

Reason being I have ONE mail server that's authorized to send.

Thus I want them (read EXTERNAL mail servers - read NOT MINE) to reject mail thats not coming from my ONE server.

I ain't got no time for spammers pretending to be me.
 
Last edited:
So my mail server will automatically drop any email from Thor.com that has been sent from server 15.10.20.21 if that ip is not on your spf list

It's a setting on my mail server to prevent spoof and spam. Other mail servers might not actually check spf records
 
Thor187 said:
I need a more real world example

IF I use -all

will the mail still work on outlook, thunderbird, geary and my android phone?
Click to expand...

As has been mentioned.

SPF has nothing to do with you sending mail out.

It has to do with an EXTERNAL (read not yours) mail server RECEIVING mail for your domain. If they have SPF checking enabled they will then check where the mail originated from and if it didn't originate from the address specified in your SPF they will bounce it.

It's used to identify real senders from spammers and spoofers.
 
imranpanji said:
The spf record doesn't prevent mail going anywhere per se.

It just provides a guide to the servers receiving the email whichsending servers that are allowed to send email on your domains behalf
Click to expand...

This. Even with SPF records we have mail getting spoofed. You can actually see SPF failing in the header, yet it reaches peoples inbox. It's up to the receiving end to enforce the SPF check.
 
Nuro said:
This. Even with SPF records we have mail getting spoofed. You can actually see SPF failing in the header, yet it reaches peoples inbox. It's up to the receiving end to enforce the SPF check.
Click to expand...

A great example of this would be the idiots who set up Hilary's email server.

They didn't check SPF and got phished.

If they had checked they would have bounced the email. Instead the IT guy eyeballed it, said it looks legit and told them to click the link and change their passwords... SPF helps prevents **** like this.
 
Makes perfect sense that is exactly what I thought it would do.

-all it is.

I use cpanel for my mail so each account will use the IP address of that server.
 
Thor187 said:
Makes perfect sense that is exactly what I thought it would do.

-all it is.

I use cpanel for my mail so each account will use the IP address of that server.
Click to expand...
If you have any websites that send email directly for your domain mail (not via SMTP), you need to add those ip's as well.

So for my domains, I have my main SMTP server, my website Ip address (support emails are sent from there) and my 2 saas providers servers (alerts and notifications are sent from there)
 
imranpanji said:
If you have any websites that send email directly for your domain mail (not via SMTP), you need to add those ip's as well.

So for my domains, I have my main SMTP server, my website Ip address (support emails are sent from there) and my 2 saas providers servers (alerts and notifications are sent from there)
Click to expand...

I do use PHP mailer for all my web mails using the specific Cpanel account's SMTP settings so all should be well?
 
While you are at it, then add a DMARC record (if you struggle reading the feedback, use postmark.app) and then also DKIM. SPF is really pointless if you have not setup FBLs (and those are pointless if you do not have automated FBL handling in place - for some insights look at this - https://github.com/magicdude4eva/port25-bouncehandler)

Just remember that with mailservers and DKIM and SPF you will need proper rDNS setup as well and hopefully have a pool of clean IPs which are not shared with a dodgy ASN pool from some hosting company.
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X