Should I change SPF from ~all to -all when using DMARC quarantine?

Key findings

• SPF ~all and DMARC Alignment: An SPF check with a ~all mechanism, if it results in a SoftFail (no match), typically does not contribute to a DMARC pass. DMARC requires either an aligned SPF pass or an aligned DKIM pass to authenticate an email. If SPF fails, DKIM becomes crucial for DMARC alignment.
• DMARC's Role: DMARC's p=quarantine policy instructs recipient mail servers to treat unauthenticated mail as suspicious, often moving it to the spam or junk folder. This policy takes precedence over a SoftFail result from SPF alone.
• Transitioning Safely: Many experts advise against changing SPF to -all simultaneously with a DMARC p=quarantine rollout. It's often safer to observe DMARC reports with ~all first.

Key considerations

• Potential for Disruption: Changing SPF to -all is a strong enforcement. If any legitimate sending source is not correctly authorized in your SPF record, emails from that source will hard fail SPF and, without a compensating DKIM pass, will likely be rejected outright. This can cause significant deliverability issues, especially when coupled with a DMARC p=quarantine policy (or p=reject later on). For more on safe transitions, review how to safely transition your DMARC policy.
• Observing DMARC Reports: It is best practice to move DMARC to p=quarantine and collect DMARC reports for a period. These reports provide invaluable insight into which of your emails are passing SPF and DKIM authentication and alignment. This data helps identify any legitimate sources that might be failing before moving to a stricter SPF policy. A common concern is DMARC alignment requiring either SPF or DKIM to pass.
• Enhanced Spoofing Protection: While DMARC provides policy enforcement, SPF -all offers an additional layer of explicit rejection for unauthorized senders. This can reduce the volume of spoofed emails reaching recipient inboxes before DMARC even takes over. However, this comes with the aforementioned risk. Learn more about SPF ~all vs -all.

Key opinions

• Prioritize Stability: Many marketers prefer to keep SPF at ~all when initially moving DMARC to p=quarantine to avoid introducing too many variables at once. This cautious approach helps prevent immediate deliverability issues.
• Leverage DMARC's Strengths: If DMARC is set to p=quarantine, the primary enforcement against unauthenticated mail already comes from DMARC, making the immediate change to SPF -all seem less urgent or even redundant in the initial phase.
• Focus on DKIM: For DMARC to pass, either SPF or DKIM must align and pass. Marketers often focus on ensuring robust DKIM implementation, as it can compensate for SPF SoftFail results with ~all.

Key considerations

• Troubleshooting Complexity: Introducing multiple significant changes (like DMARC p=quarantine and SPF -all) simultaneously can make it difficult to diagnose deliverability issues. Marketers prefer a staged approach, as highlighted in discussions on DMARC policy enforcement.
• Impact on Legitimate Mail: Marketers are highly sensitive to any change that could prevent legitimate emails from reaching the inbox. An SPF -all policy carries a higher risk of hard failures if SPF records are not perfectly maintained across all sending systems. For more on this, see how DMARC policies affect sender reputation.
• Monitoring DMARC Reports: The transition to p=quarantine itself should be carefully monitored using DMARC aggregate and forensic reports. These reports reveal if legitimate emails are failing authentication. If ~all combined with p=quarantine causes issues, review why changing DMARC to quarantine sends emails to spam.

Key opinions

• SPF ~all is Often Sufficient with DMARC: Many experts concur that if DMARC is correctly implemented with a p=quarantine or p=reject policy, the enforcement level of SPF's ~all versus -all becomes less critical for preventing spoofing, as DMARC provides the overarching instruction for unauthenticated mail.
• DKIM's Importance: When SPF is set to ~all, a SoftFail result means SPF does not provide a DMARC pass. In such scenarios, experts stress that DKIM alignment and a valid DKIM signature become the sole mechanism for DMARC authentication, making strong DKIM implementation vital.
• Gradual Stricter Enforcement: The recommended approach is to transition DMARC policies incrementally, typically p=none to p=quarantine, and then to p=reject, while continuously monitoring DMARC reports. Only after achieving confidence in DMARC authentication should SPF -all be considered if additional explicit rejection is desired.

Key considerations

• Vendor Specifics: Some mail providers, notably Microsoft, have specific quirks in how they process SPF and DMARC. There have been instances where a stricter SPF -all policy has seemed to resolve deliverability issues with certain recipients, even if the direct cause wasn't immediately clear. However, this is not a universally applicable rule. Review how to address Microsoft's SPF DNS timeout issues.
• Risk vs. Reward of -all: While -all provides stronger explicit rejection, the risk of blocking legitimate emails due to an incomplete SPF record is high. Experts advise thorough verification of all sending IPs and domains before moving to -all. It's essential to understand the differences between SPF ~all and -all.
• Staged DMARC Implementation: DMARC p=quarantine is a crucial step to collect data on authentication failures without immediately impacting deliverability. Experts recommend utilizing DMARC reports to identify all legitimate sending sources and resolve any authentication issues before considering stricter SPF or DMARC p=reject policies. This phased approach is key to determining the right DMARC policy.

Key findings

• SPF Mechanism Definition: RFC 7208 defines ~all as a SoftFail, suggesting that mail from non-listed IPs should be accepted but marked. Conversely, -all is a Fail, explicitly stating that mail from non-listed IPs should be rejected.
• DMARC Policy Enforcement: RFC 7489 (DMARC) specifies that the p tag (policy) instructs recipient servers on how to handle emails that fail DMARC authentication (i.e., fail both SPF and DKIM alignment). A p=quarantine policy dictates that these emails should be treated with suspicion (e.g., moved to spam).
• Interaction between SPF and DMARC: DMARC is designed to leverage the results of SPF and DKIM. If an email fails SPF (even a SoftFail with ~all) and also fails DKIM, it will be subject to the DMARC policy. This implies that DMARC's policy can override the less strict ~all directive in SPF for unauthenticated mail.

Key considerations

• Incremental Policy Adoption: RFC 7489 encourages a phased approach to DMARC implementation, starting with p=none, then moving to p=quarantine, and finally to p=reject as confidence in authentication grows. This suggests that parallel, aggressive changes to SPF might not be necessary or advisable initially. This is covered in more detail in a simple guide to DMARC, SPF, and DKIM.
• Reporting is Key: DMARC reports (aggregate and forensic) are explicitly designed to provide visibility into authentication failures and passes. These reports are critical for identifying legitimate mail streams that might be failing authentication, allowing administrators to correct SPF or DKIM records before moving to stricter policies. Understanding the list of DMARC tags can help interpret these reports.
• Redundancy of Enforcement: While -all offers an explicit reject for SPF, DMARC's p=quarantine policy already handles mail that SPF and DKIM fail to authenticate. Therefore, changing to SPF -all might offer marginal additional benefit when DMARC is active, but significantly increases the risk if SPF is not perfectly configured.