The SPF record all tag is the last mechanism of a valid SPF TXT record (a string of TXT or text record) published on your domain’s DNS. Any other syntax at the end of SPF DNS records is ignored. It instructs recipients’ servers to take action on emails from your domain name that fail SPF authentication checks.
It’s used to add a list of ipv4 or ipv6 IP addresses or mail servers authorized to send emails on your behalf. There are four possible variants of the SPF TXT record all mechanism that you can use to match senders’ email servers as ‘authorized,’ ‘unauthorized,’ or ‘maybe authorized.’
Read the article for more information on one of the important SPF mechanisms.
Types of SPF record all Tag
-all (Fail)
Here’s an example of an SPF record including the –all tag type:
v=spf1 a include: spf.google.com -all
In the above case, the -all tag explicitly instructs recipients’ servers to outrightly reject the entry of emails coming from the official domain of your organization that fail SPF authentication checks. It simply means the sender isn’t authorized to use that domain to send emails to people.
Using this SPF record all tag version is not recommended as it may result in some of your genuine emails getting rejected from entering into desired recipients’ mailboxes, giving rise to a number of serious email delivery issues. The worst problem is that the message gets rejected before DMARC processing, and you may not receive a non-deliverability report or bounce report upon a hard fail. So, you won’t even know if your email was rejected.
However, you should definitely use the -all tag for all non-email-sending domains owned by your company.
Image sourced from www.bancomail.com
~all (SoftFail)
As per RFC7208, the ~all tag directs the receiver’s mailbox to mark emails coming from your domain but failing SPF checks as spam. It indicates that the sender may or may not be permitted to send messages from your domain.
A softfail is better than a fail from the prospect of email deliverability.
+fail (Pass)
It’s a big no-no to use the +fail tag as it allows anyone on the internet to send emails using your domain, and this gives bad actors the opportunity to attempt phishing and spoofing attacks in your name, posing a risk to your brand’s place in the market. In simple words, the +fail mechanism nullifies SPF compliance.
?all (Neutral)
It’s again highly discouraged to use the ?all form of the all tag as the IP address will neither pass nor fail the SPF if it matches this qualifier’s mechanism.
All-in-All
There are three major categories of SPF record syntax; Mechanisms, Qualifiers, and Modifiers.
On the whole, it’s best to use the ~all tag in your SPF records as it won’t cause much harm to your domain’s email deliverability rate whilst ensuring email security. But remember to use the -all tag in order to secure non-email-sending domains.
Moreover, the combination of SPF, DKIM, and DMARC outweighs most major SPF flaws and offers the best protection against phishing and email spoofing.