SPF setup, do i really need A, MX and ip4?
Posted by 4bdou@reddit | sysadmin | View on Reddit | 18 comments
Hello!
I moved to Google Workspace, now my unique 2 email channels are Google Workspace and MailerLite for sending newsletters. a friend helped setup the SPF record and now its:
"v=spf1 a mx ip4:xx.xx.xx.xx include:_spf.mlsend.com include:_spf.google.com \~all"
We found the a, mx and IP already there, so we just added the 'include' needed.
But I'm thinking, if I'm using exclusively only Google Workspace and MailerLite for sending emails, should it be like this?:
"v=spf1 include:_spf.mlsend.com include:_spf.google.com \~all"
Its kinda of newbie question i know.
Thank you!
alm-nl@reddit
You want to keep the number of named lookups as small as possible, so remove a and mx and replace with ip4 and ip6 entries. The number of named lookups may not be above 10 as it may affect mail deliverability. BTW, using include:_spf.google.com already totals 4 named lookups, that could have been made more economical by Google.
4bdou@reddit (OP)
Yes i have a total 7/10! And that was one of the main reasons i started this thread.
Don't you think this should be good for my case?
"v=spf1 include:_spf.mlsend.com include:_spf.google.com \~all"
I really can't think of anything else I'm using with my domain except GWorkspace and MailerLite.
alm-nl@reddit
If the ip4 entry that you had is no longer being used to send e-mail then you can remove it. An ip4 entry doesn't count in the named lookups, but a and mx do.
4bdou@reddit (OP)
I don't need the a and mx in my spf txt record, right?
iB83gbRo@reddit
Use that. Note the -all
4bdou@reddit (OP)
Thank you!
But, i read a lot of articles, and some reddit threads that say "it's best practice (for email delivery) to use
~all"!TopDeliverability@reddit
Correct. Use ~all
apathyzeal@reddit
\~all is a soft fail. This may be better for testing and then move to -all which is a hard fail.
\~all is not a best practice, outside of maybe mail servers shared by a ton of people and managed by a shared hosting company or something. If someone starts spoofing your email \~all will allow a lot more to get through.
alm-nl@reddit
It's no longer valid reason to use -all, see https://www.mailhardener.com/blog/why-mailhardener-recommends-spf-softfail-over-fail In other words \~all is now recommended. There are more articles about this that say the same. I was also conviced -all was the way to go, till I was educated why it wasn't anymore.
youreensample@reddit
My take in reading all of this; it appears to say that the only reason to use a 'softfail' is that relayed mail might not get delivered if you use a 'hardfail'. It also says that SPF with DMARC treats a 'softfail' and a 'hardfail' the same.
/Rant
This is why email is such a $hit$how. Email from the get-go 45 years ago was never designed to be secure and all we've attempted to do since then is slap some lipstick on this pig while we stick our fingers in the holes in the dam.
Email should be hard reset and build a secure system from scratch with no legacy carry over.
/Rant off
lolklolk@reddit
If you want RFC language to back the assertion up, see here:
https://www.ietf.org/archive/id/draft-ietf-dmarc-dmarcbis-34.html#name-issues-specific-to-spf
youreensample@reddit
This document is a perfect example of why email is such a $hit $how and should be nuked from orbit and a completely new secure email system be developed to take it's place.
lolklolk@reddit
If you have an issue with language in the document, I encourage you to bring it up on the DMARC mailing list. We're in last-call right now.
https://mailman3.ietf.org/mailman3/lists/dmarc@ietf.org/
lolklolk@reddit
It is - https://www.m3aawg.org/sites/default/files/m3aawg-email-authentication-recommended-best-practices-09-2020.pdf (section 4)
Pristine_Curve@reddit
No justification in that section. For those who are curious, the reasoning is that a lot of receivers will reject at an SPF hardfail without consulting DMARC policy. DMARC is an either/or evaluation (either DKIM aligned/verified or SPF aligned/matching). With failures handled by DMARC policy flag.
With a -all we could have a DKIM aligned/verified email (legitimate email) that is rejected because the sending IP hard fails. Conversely with a ~all SPF may indicate an unverified IP, but if DKIM aligns/verifies, then DMARC will consider it as DKIM:Pass and SPF:SoftFail, and deliver the email to inbox. Additionally we can allow DMARC policy to decide for P=quarantine rather than an SPF failure being bounced while a DKIM failure is quarantined.
Conversely, if we want bad email to be rejected rather than quarantined. A bad email which fails DKIM+SPF would still be governed by DMARC's P=Reject policy. Obviating the need to do hard fails at the SPF layer.
TL;DR - SPF soft fail can make some legitimate emails pass authentication which would otherwise fail, while still allowing bad email to be rejected by DMARC if rejection is preferred over quarantine.
4bdou@reddit (OP)
I think DMARC p=reject idea sounds good. I need to do some monitoring first, make sure all is good then turn p to reject.
Thanks for your feedback and the explanation!
fp4@reddit
+a +mx +ip4 is usually a sign of a default cPanel SPF record. You would leave it in place if you happened to have a contact form or something like that configured on your website to send emails.
4bdou@reddit (OP)
Exactly! My Cpanel autogenerated this default SPF. But, for now all the forms on my website and landing pages are exclusively made with MailerLite. So i think best to take them off?