+all your domain are belong to them
When you allow email to be sent on behalf of your domain by anyone anywhere,
then your domain does in a sense belong to anyone who wants it.
A common error made by organizations in setting up their SPF records is the use of an overly permissive
all term. This effectively allows every IP on planet Earth to send emails as anyone in your organization.
Then your employees, customers, vendors, and well, everyone are vulnerable to phishing attacks and nothing good for your brand reputation can occur from this.
The all term, like other so-called SPF mechanism terms have a qualifier
property symbolized by exactly one of these four characters: +, ?, ~, –.
A concise summary of qualifier meanings is given in the following table.
|+||pass||The client sender is authorized to send mail on behalf of the domain.|
|?||neutral||No assertion is to be made about the client sender. This is effectively a ‘none’ result.|
|~||softfail||Somewhere between rigorous ‘fail’ and an apathetic ‘neutral’, the client
sender is not authorized to send email on behalf of the domain
however the message should probably not be rejected based on the lack
of SPF authorization.
|–||fail||The client is not authorized to send email on behalf of the domain.|
An all term without a qualifier will default to +all, while a record without
either an all or redirect term will default to ?all.
For example, the record
is identical to
This essentially declares that everybody is free to abuse the reputation of a domain by sending
email on their behalf. Similarly,
without an all term is the same as
thus declaring ‘meh, send emails from our domain or whatever, we don’t care’.
Obviously, either of these defaults weakens the email security of your organization.
The minimal standard for an all term should be the soft failing ~all.
Combined with DMARC intelligence…the organization can move toward a stricter -all.
Fraudmarc can help you with all of your email security protocol needs.
Fraudmarc’s intuitive tools help with managing and monitoring as many authorized senders as required for your business. Fraudmarc continuously monitors and updates SPF records using SPF Compression, so the number of DNS lookups needed to authenticate all of your authorized senders is minimized. Fraudmarc simplifies management of SPF, as well as DKIM and DMARC, with user-friendly tools and recommendations. In addition, Fraudmarc’s offers free DMARC reports, so you will have the tools and information you need to configure your policies accurately.