SPF: ~all
- Thread starter Yaayuh!
- Start date
We use a softfail for our SPF records - it's not necessarily the 'correct' way but it's the 'easy' way - and most places I have encountered have done it this way for a long time now. There's not many email administrators around these days especially in smaller companies with jack of all trades admins who understand DNS, DKIM, DMARC or stuff like this.
It's bugging me of late. With SPF as softfail (~all), you almost may as well not have SPF where spoofing is concerned. Which means, people trying to block spoofed email and phishing attempts, can't just rule out senders that fail SPF.
Softfail should only be used for when you're moving/changing services or testing. For normal use there's no reason why companies shouldn't be using hardfail (-all), after all, you should know exactly where your sending emails from (connectors) and adjust accordingly.
Without using using a hardfail SPF (and some still without SPF!) it makes it hard for others to combat spoofing by having to allow softfails.
I just wish every legitimate company had hardfail SPFs, DMARC and DKIM set up.
Just my grump this month, that's all. Lol.
Softfail should only be used for when you're moving/changing services or testing. For normal use there's no reason why companies shouldn't be using hardfail (-all), after all, you should know exactly where your sending emails from (connectors) and adjust accordingly.
Without using using a hardfail SPF (and some still without SPF!) it makes it hard for others to combat spoofing by having to allow softfails.
I just wish every legitimate company had hardfail SPFs, DMARC and DKIM set up.
Just my grump this month, that's all. Lol.
You're absolutely right - and I agree with you. We're an MSP and a lot of our clients get a lot of fails with a hard SPF because they're recruitment agencies, media agencies etc and misuse email, don't use services like mailchimp and spam like mad. I have advised many a time, but alas I am just an infrastructure guy. It's so prevelent in IT now though, and it's one of those these days. We find a lot of SPF issues with a hard fail because both sides are generally misconfigured so it's literally easier for our users to soft-fail unfrotuantely.
Caporegime
- Joined
- 21 Nov 2005
- Posts
- 41,337
- Location
- Cornwall
We use hard fail, DKIM and have recently configured DMARC although we're still monitoring rather than quarantining emails.
We've already found two 3rd parties that send emails as us, both of which relate to our business, so it's a case of working out who's set them up and why.
Going through the DMARC reports is a bit of a minefield and after a week off I'll probably have 300+ reports to go through on Monday so I'm looking at a service like dmarcian to help.
We've already found two 3rd parties that send emails as us, both of which relate to our business, so it's a case of working out who's set them up and why.
Going through the DMARC reports is a bit of a minefield and after a week off I'll probably have 300+ reports to go through on Monday so I'm looking at a service like dmarcian to help.
We publish a hardfail and use DMARC to tell recieving mail servers to drop anything with an invalid DKIM or SPF. DMARC Analyser shows us if any services are misconfigured or a third party is trying to send emails wrong.
I assume the “recommendation” from hosted email providers to set a softfail is purely to reduce the support calls they have to deal with.
I assume the “recommendation” from hosted email providers to set a softfail is purely to reduce the support calls they have to deal with.
All of our records are currently set to softfail. Unfortunately for us we send millions of emails a day, and a lot are from systems we don’t know about or control - it’s been a huge project to start looking at correcting our SPF/DKIM/DMARC records but we’re working through it.
For us its probably a high 6-figure sum to run the project to carry out this work which is one of the reasons its taken us so long to finally get buy in. Increased targeted phishing has magically made more money available to help with our mail hygiene though!
For us its probably a high 6-figure sum to run the project to carry out this work which is one of the reasons its taken us so long to finally get buy in. Increased targeted phishing has magically made more money available to help with our mail hygiene though!
Permabanned
- Joined
- 9 Aug 2008
- Posts
- 35,711
I'm just learning about SPF records. We have companies telling us of their configuration changes and we action them. Some of the companies are currently set to soft fail and moving towards hard fail.
We still having marketing companies spamming the hell out of people, disgusting. I hate customers that want to do that!
We still having marketing companies spamming the hell out of people, disgusting. I hate customers that want to do that!
Soldato
- Joined
- 18 Oct 2002
- Posts
- 8,255
- Location
- The Land of Roundabouts
We have hard fail set but looking through the dmarc reports suggests it usually makes little to no difference. bizarrely one of our providers who is listed in our record gets quarantined. But other random ip's seem to get through, hopefully they get quarantined by other means but you have to wonder.
On a similar vein, when places like mimecast use selfsigned certs it pretty much makes a mockery of DKIM.
There really needs to be a hammer brought down from the likes of Google / MS, before we will see any change. But they would have to get there own house in order first as well!
On a similar vein, when places like mimecast use selfsigned certs it pretty much makes a mockery of DKIM.
There really needs to be a hammer brought down from the likes of Google / MS, before we will see any change. But they would have to get there own house in order first as well!
Well, yes. This isn't a misconception at all. Also, "never been honoured by receivers"?! Utter BS. Even back in the days of Postini, these were definitely honoured by default.
The problem is that SPF gives us (the receivers) the ability to implement rules based on the source of an email. If you placed -All, you are declaring that these are the sole permitted sources, which means people can implement rules to block where the source doesn't match.
As previously stated, this should be absolutely basic "must have" record applied, but really everybody would have SPF, DKIM and DMARC set for best chance. But it seems so many companies out there do not have anything, let alone SPF. It's maddening.
I think the main issue is knowledge of implementation and partly laziness.
The number of support tickets our helpdesk receive asking for sending domains to be whitelisted as their email is going to junk, when it turns out that there are two SPF TXT records on the domain and so it’s failing the checks. These are often on big companies as well.
While we’re on the subject, my sister works for a pretty big consulting firm and they weren’t submitting messages using TLS or DKIM signing them up until a few months ago.
While we’re on the subject, my sister works for a pretty big consulting firm and they weren’t submitting messages using TLS or DKIM signing them up until a few months ago.