Mail Validation: SPF qualifier ?all

EaZyCode

12/14/23, 5:59 PM

How do mail servers (i.e. MS Exchange) handle the ?all option at the end of an SPF record?

I know from RFC 7208 that ? results in a neutral response. It means the SPF explicitly doesn't state whether an IP address is authorized or not. But what do mail servers do with this information? Do they just fallback to something else like FCrDNS?

2 + 0

spf

Score:1

Server

glts

12/14/23, 6:25 PM

According to RFC 7208, this result is treated as though no SPF record were found:

A "neutral" result MUST be treated exactly like the "none" result

In practice, this might for example mean that there is a neutral or a very slight negative disposition towards the sender, like one that has no SPF policy. I suppose it will usually simply be ignored. Of course, mail sites are free to do what they please with this result, so this cannot be answered generally.

+ 1

anx

12/14/23, 10:26 PM

Specifically, just because the *result* is treated the same does not prevent a recipient to apply rules judging the policy, such as rules that slightly prefer senders with inapplicable, but otherwise syntactically valid and reasonably broad, authorization statements over those with no published policies whatsoever.

Score:0

Server

Reinto

12/15/23, 1:31 PM

In addition to the answer from @glts, I would like to add that nowadays, we should look at SPF policy in the light of DMARC developments. ALthough, we can't assume too much about what email service providers are using for determining SPAM likelihood, in terms of email authentication, DMARC has (should have) a much stronger impact on the classification of messages than SPF.

?all is a catch all option, which tells receiving servers how to handle messages that do not pass any previously listed mechanisms. In respect to DMARC, only PASS results matter, in alignment with the domain used in the FROM header.

In practice, I usually advise against using the FAIL ('-') qualifier with the all mechanism. The FAIL qualifier often triggers a definite Junk deliverey, where a Soft Fail ('~') or Neutral ('?') qualifier may not. Especially in cases where your emails are forwarded, SPF tends to break. In this scenario, especially in combination with DKIM signing, your emails have a much better chance of being delivered to the Inbox.

Regarding your question on FCrDNS: It will help to have your HELO response (mostly the hostname) match the DNS name that resolves to the connecting IP. And have the reverse lookup of the IP confirm that hostname. But that does not mean that this hostname is in the same DNS Zone as the sender address domain. Nor does it have to be, for example when you use a SaaS platform to send marketing emails on your behalf.

+ 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Mail Validation: SPF qualifier ?all

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.