When and When Not to Use the SPF Fail Mechanism

DNS SPF failure occurs when an email fails SPF authentication checks for some reason. There are two types of SPF failures- SPF softfail and SPF fail. This article briefly discusses the latter one.

SPF Hardfail- What Does it Really Mean?

SPF fail (or often referred as SPF hardfail) is represented by the -all tag that explicitly instructs the recipients’ mail servers to reject the entry of illegitimate emails sent using your domain name. This ensures no fraudulent messages reach receivers’ mailboxes, hence, preventing the possibilities of phishing, spoofing, and spam attacks. 

As per section 8.4 of RFC7208, A “fail” result is an explicit statement that the client is not authorized to use the domain in the given identity.  Disposition of SPF fail messages is a matter of local policy. 

Image sourced from fastercapital.com

SPF Fail Example

v=spf1 ip4:196.178.0.2 -all

In this example,  the minus sign (-) next to ‘all’represents fail, meaning emails from senders outside the list should be rejected. Here, only the IP address 196.178.0.2 is authorized to send emails.

When Should You NOT Use the SPF Fail Mechanism?

There are two primary reasons for this. 

It’s common for emails coming from genuine IP addresses to fail SPF checks due to a configuration error or changes in sending infrastructure. If you enforce a strict SPF Fail policy, these genuine emails could end up in recipients’ spam folders or be rejected outright. It’s important to strike a balance between security and usability.

So, unless you are 100% confident that all your genuine emails pass SPF authentication checks, you should not use the SPF Fail mechanism. And this confidence hardly comes by. 

Moreover, SPF Fail occurs at the SMTP level, and therefore, if your message didn’t pass an SPF email authentication check, no DKIM and DMARC evaluation will follow further. This will leave your business domain vulnerable to email-based cyberattacks.

When Should You Use the SPF Fail Mechanism?

It should be used in the following cases:

You’re 100% Confident

You can set the SPF Fail mechanism in your SPF record if all your legitimate emails have been landing in recipients’ primary inboxes for a considerable time now. 

Your Organization Handles Sensitive Data

This mechanism is particularly useful for organizations that handle sensitive information, conduct financial transactions, or rely on email communication for critical processes. SPF records with a Fail mechanism act as an extra layer of protection against malicious actors attempting to impersonate business domains.

The SPF Record Corresponds to a Non-Email-Sending Domain

Threat actors are always searching for unprotected domains, especially those not used for sending emails on behalf of a reputed company. So, using SPF Fail in combination with strict DMARC policy and DKIM alignment bolsters email deliverability and security.

Summary

An SPF record with the -all tag instructs the recipient’s email server to reject the entry of a message that fails an SPF check as it’s likely to be sent by a malicious sender. You should ideally use it only for non-email-sending domains.