“v=spf1 mx -all”

It seems that a lot of web hosting providers are now using SPF in an effort to minimize spam that may seem to originate from their clients. Unfortunately many of them seem to use a default setup of “v=spf1 mx -all”. This configuration is interpreted as follows:

  • v=spf1 This identifies the TXT record as an SPF string.
  • mx The MX servers for the domain are allowed to send email that originates from the domain.
  • -all No other servers are allowed to send mail originating from the domain.

To the uninformed user this setup creates delivery problems, unless he is provided with a port 587/tcp submitting email option by his webhosting / email provider. For when the user tries to send email using his ISP’s outgoing SMTP server, anyone honoring SPF records drops the email. And yes the hosting provider never hears about that because the user calls the first level support of the ISP who clearly cannot help him.

-all is a good idea only when you provide your customer with a port 587/tcp sending email option.

Note: This post was triggered by my frustration because of a similar case and the timely request of a reader of this blog to write something about SPF. To be honest, I do not consider SPF as an antispam solution since a spammer can have (and in fact many do) perfectly legal SPF records for domains that they own.

5 thoughts on ““v=spf1 mx -all”

  1. I’ve always thought of SPF as a way to stop zombies from sending spam… isn’t this the case ?

  2. So instead of just telling us what’s wrong how about telling us what’s right?

    What should we put there?

    1. There is no right or wrong in the context you are asking. I will try to clarify right and wrong though:

      SPF records publish a policy. If the published policy matches the desired policy, then the record is right; otherwise it is wrong.

      If the policy (both what is written and what is implied) matches what is desired then it is right; otherwise it is wrong.

      The SPF record in question declares that no one else other than the MX records for the domain are allowed to originate email for the said domain. This by itself is neutral. However has the fact that users cannot always reach those SMTP servers (because some ISPs block outgoing port 25 traffic) been taken into account? If yes, it is OK and within policy, but does the user know about that? Is he educated by the web hoster about that? Is there a port 587/tcp submission alternative given to the customer? If not why? Is the web hoster prepared to answer to his user why the user’s email is marked as spam when they use (and they will do so regardless of what system administrators insist on) a different mail server?

      So you see there is no right or wrong in the SPF record when you know exactly what you are doing. I know of hosting providers that use this record and no problems occur with users and hosting providers that cause daily problems which they try to shift to the ISP’s support desk.

      The SPF record by itself is not the whole policy. Those who get it implement it right, the rest no.

      The easiest solution to your question would be to just add any other SMTP servers the user uses to the SPF record. But this is just a band-aid answer to just get you off my back.

  3. Another common scenario which people usually don’t know how to handle:

    Admins publish a strict SPF policy requiring all users to use their mx servers.

    Users go to various websites (news, blogs, etc) and try to share articles with others, using their email address. But the email never reaches the intended recepient(s), because it’s not sent via their mx server, but via the web/mail server of the site..

    When users complain, the admins don’t “bend” their policy, and there’s no solution for the users.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s