SPF: Is ?all safe, and is it any different from having no policy at all?

Chris asked:

A company I started working with had no SPF records on their domain. They are using multiple services (Google Apps and Shopify) that are sending e-mails from the company’s domain with the company’s domain in the Return-Path. They never experienced problems.

The company has started using a new online customer service app, and some of those customer emails went to spam. To which their support responded that we can fix it by adding v=spf1 include:spf.gorgias.io ?all.

I was unaware that they didn’t have any SPF records so I helped them out by including the google apps and shopify SPF records as well. But that resulted in too many lookups.

I’m deciding what to do right now but I have some trouble understanding the repercussions of some of these changes;

  1. Let’s say we had just added the gorgias spf record as they suggested. What would that have done to the spf validation against the services like shopify that were already sending emails? Do they now have a bigger risk of ending up in spam, or is there no change there since there was no SPF record before?

  2. Is ?all a safe option to use? Or should we go for a ~all qualifier and figure out a way around the amount of lookups. like using a different subdomain for support requests for example. If I understand correctly, now every sending server is allowed to pass with ?all.

Thank you very much

My answer:

Shopify’s SPF record is mad! They could have it do one lookup, but they’ve gratuitously made it three for no apparent reason except that someone doesn’t know what they’re doing or doesn’t care.

Google’s SPF record really does need the three lookups it does.

The one for spf.gorgias.io is interesting; it just includes the record for mailgun. That’s one extra lookup. But mailgun’s SPF record needs two lookups itself.

So that’s nine lookups. When you put them all together with the three lookups you’d need for an SPF record that contains all three services, you get 12, which exceeds the limit of 10. Such a record will always return PermError by any properly functioning SPF parser.

The workaround for this is to do what should have been done for other reasons anyway: Separate marketing and transactional email into one or more subdomains, or other domains entirely. They should not use the same domain as corporate email, so as to not affect that domain’s reputation.

For instance, corporate email might use @example.com while transactional mail uses @webshop.example.com and newsletters use @marketing.example.com.

Regarding ?all, the spec says that ? makes it neutral, so ?all means you offer no opinion on mail originating from anywhere unspecified in the record. This is pretty close to useless in your own SPF record.

View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.