SPF records for authorized sending

Melissa Revotskie 2 · April 2016

Hello,

I have gone through the SPF instructions provided by Blackbaud: http://customer.convio.com/site/PageServer?pagename=SenderID

The provided syntax in the document above includes ?all at the end of the SPF record. However, according to the the free SPF Tool (http://www.openspf.org/SPF_Record_Syntax) also provided in the above document, the ? qualifier indicates "neutral." In the explanation of the "all" mechanism, there is no explanation given for ?all.

Is this just a mistake on the convio record provided, or have guidelines changes since those instructions were last updated?

Please let me know what help you all can offer. All emails sent by our domain name are currently being flagged by Gmail and presumably other email clients.

Thank you,

Melissa

Mike McFarland 2 · April 2016

As I understand it, the -all (FAIL if not specified in SPF) is the more conservative approach to configuring your SPF record. This was the defacto stand at one point and we've stuck with it due to some historical spoofing/spam issues we've experienced with our domains.

It could be that Gmail is picking up on the ?all (NEUTRAL validity can't be confirmed) parameter and flagging you as a result. Moving to a ~all and then -all if necessary should help ... but having said all that, I'd be interested to hear from others or the BB folks to confirm. It's been one aspect of configuring SPF records that hasn't always been clear to me per the evolving ESP standards and best practices.

M.

Michael Seaman 2 · June 2016

The options and their interpretations are:

-all Fail: All mail servers not listed in the SPF record are explicitly not authorized to send mail using the sender’s domain.
~all Soft Fail: All mail servers not listed in the SPF record are not authorized to send mail using the sender’s domain, but the owner of the domain is unwilling to make a strong assertion to that effect.
?all Neutral: The domain controller cannot or does not want to assert whether or not all mail servers not listed in the SPF record are authorized to send mail using the sender’s domain.
+all Pass: All mail servers are authorized to send mail on behalf of the sender’s domain.

Essentially, you put this at the end your SPF record. If you SPF record is 100% inclusive of approved senders you subtrall all else -all. If you are fairly confident but would like to test failure, ~ = about - so that is about all. ? is you are unsure or neutral in your spf stance. +all includes everything else - I would NOT use ? or + at anytime.

Read this to get a great overview of SPF, DKIM, DMARC, and a little ADSP thrown in as an addon to DKIM.
https://dmarcian.com/dmarc-training/

Colleen Gutierrez · June 2016

Hello - We're currently updating our documentation for SPF, DKIM, and DMARC and moving information into our help files. I'll update this thread when it's published. Thanks!

Michael Seaman 2 · June 2016

Excellent, the current recomendations allow for 4352 ip address to be whitelisted essentially with no real support for dkim, dmarc or adsp

Michael Seaman 2 · June 2016

Colleen Gutierrez:

Hello - We're currently updating our documentation for SPF, DKIM, and DMARC and moving information into our help files. I'll update this thread when it's published. Thanks!

Also - are you updating BBNC recommendations as well or this a one stop SPF et al solution?

Colleen Gutierrez · June 2016

Hi Michael - Thanks for your questions! Our initial focus is Luminate-specific, but we're talking with folks across Blackbaud. We'll know better how applicable our information will be for other Blackbaud products as we get further down the road with it. If you have other suggestions or ideas, please let us know! Your feedback can help us ensure we cover the right areas.

Thanks!

SPF records for authorized sending

Comments

Categories