Should I change SPF from ~all to -all when using DMARC quarantine?
Summary
What email marketers say11Marketer opinions
Email marketer from Email Marketing Tips suggests using `-all` only when you are absolutely sure that all of your email sending services are correctly configured in your SPF record. Incorrect configuration can lead to significantly lower email deliverability.
Email marketer from Reddit mentions that while `-all` is stricter, it's crucial to ensure that all legitimate sending sources are included in your SPF record to avoid deliverability issues. He suggests monitoring SPF results carefully after implementing `-all`.
Email marketer from SuperUser shared a real-world experience where switching to `-all` significantly improved email placement for transactional emails but required careful maintenance to ensure all sources were included.
Marketer from Email Geeks explains that an SPF check with ~all that doesn't match will not pass and won't contribute to a DMARC pass. He also mentioned you should be able to keep the ~all.
Email marketer from Mailhardener Blog recommends a gradual approach: start with monitoring, then move to `~all`, and finally, if confident, switch to `-all`. This reduces the risk of blocking legitimate emails.
Email marketer from Postmarkapp mentions the value of being strict using a `-all` but only after a slow roll out and consideration for other business units using email in the organisation.
Email marketer from Email Security Forum recommends monitoring your SPF records and DMARC reports regularly after making changes. This helps you identify and fix any deliverability issues that may arise.
Email marketer from EmailGeeks Forum suggests starting with `~all` when initially setting up DMARC and SPF, then transitioning to `-all` once you're confident that all legitimate sending sources are properly authenticated to prevent false positives and delivery failures.
Email marketer from StackExchange suggests that using `-all` is the more secure and recommended option when implementing DMARC, as it strictly enforces the SPF policy. He also notes that `~all` (SoftFail) can lead to inconsistent results.
Marketer from Email Geeks shares an experience where changing to -all for a client resolved Microsoft inboxing issues, though he couldn't confirm it was the sole reason.
Email marketer from MailChannels stresses testing changes to SPF using tools before switching to -all. This makes you understand the impact of the change.
What the experts say1Expert opinion
Expert from Word to the Wise advises that while `-all` offers the strongest SPF protection, it requires meticulous configuration. She recommends thoroughly auditing sending sources to avoid blocking legitimate emails. She also suggests monitoring SPF reports and using DMARC feedback to ensure all systems are working correctly.
What the documentation says5Technical articles
Documentation from AuthSMTP highlights the importance of a well-defined SPF record in tandem with DMARC. When using a `p=quarantine` or `p=reject` DMARC policy, they recommend `-all` for the strongest authentication.
Documentation from DMARC.org explains that using `-all` creates a 'hard fail', instructing recipient mail servers to reject messages that fail the SPF check. They recommend this for maximum protection against spoofing once SPF is properly configured.
Documentation from Google Workspace Admin Help notes that while `~all` (SoftFail) is more lenient, `-all` is generally recommended for better security when using DMARC. Ensure your SPF record is accurate to prevent legitimate emails from being rejected.
Documentation from RFC 7208 specifies that the `-all` mechanism indicates a hard fail. The mail server should reject the email. It is the most strict policy and should be used with caution.
Documentation from Microsoft Learn says that Microsoft recommends using `-all` to actively reject unauthorized emails when you use SPF with DMARC, but emphasizes rigorous testing and monitoring to avoid impacting legitimate email flow.