Does CIPP handle SPF scoring in the best way?

[IReclaimer]

In my professional environment, we've adopted the practice of using the softfail "~all" in our SPF records, despite CIPP marking us down for not opting for the stricter hardfail "-all". It's critical to delve into the practical ramifications of each choice within the broader landscape of email security and delivery to fully appreciate why "~all" is not only a cautious but a strategic decision.

Initially, the adoption of "~all" served as a transitional measure, allowing domain owners to signal potential illegitimacy of emails not explicitly authorized, without resorting to outright rejection. This approach was invaluable as we navigated towards more stringent email verification standards. The inherent challenge with SPF, when considered in isolation, is its failure to account for email forwarding scenarios effectively. The change in a sender's IP address due to forwarding leads to SPF checks failing, given that the forwarding server's IP is not listed in the SPF record. DKIM addresses this gap by ensuring an email's integrity and origin through content signing, unaffected by the email's journey.

The introduction of DKIM, and subsequently DMARC, fundamentally transformed the playing field. Implementing a "-all" policy in SPF could inadvertently cause legitimate emails to be rejected if they fail SPF checks, bypassing the additional layer of authentication provided by DKIM. This is particularly pertinent given DMARC's reliance on both SPF and DKIM for a holistic assessment of an email's authenticity. DMARC's capacity for nuanced evaluation could be undercut by premature SPF rejections, a risk explicitly highlighted in RFC 7489, section 10.1.

The reliance on third-party email services further underscores the importance of a "~all" or "?include" stance. Such an approach respects the intricacies of modern email ecosystems, acknowledging the reality that a domain's emails may traverse various platforms. Opting not to outright reject emails on SPF failure alone allows for a reliance on DKIM for necessary authentication.

Despite the acknowledged limitations of SPF, its role in a comprehensive email security framework is undisputed. I advocate for the use of SPF in tandem with DKIM and DMARC, recommending "~all" for domains actively sending emails and "-all" exclusively for those that do not. This recommendation aligns with established best practices, ensuring uninterrupted email sending capabilities while safeguarding against potential security breaches due to forwarding or misconfigured Mail Transfer Agents (MTAs), as warned in RFC 7489.

An additional layer of mitigation in favour of "~all" comes from leveraging DMARC reporting. Monitoring DMARC reports allows for an ongoing assessment of authentication outcomes, providing insights into how emails are being processed and flagged across the internet. This proactive monitoring serves as a critical feedback mechanism, enabling domain administrators to identify and rectify any issues that may arise, further justifying the use of "~all" in SPF records.

I'm keen to hear your thoughts, experiences, or any questions you might have on this subject. Have any of you faced challenges with SPF and email delivery, or do you have insights from implementing SPF, DKIM and DMARC in your own environments? Ultimately, do you favour "~all" or "-all", and why?

EDIT: Words are hard.

[KelvinTegelaar]

Used OpenAI? CIPP Is CyberDrain Improved Partner portal ;) I'll have @JohnDuprey take a look at this.

[IReclaimer]

Sorry about that. English isn't my first language, and it's generally a better translator than Google. I've edited it.

[KelvinTegelaar]

It's cool! What's your first language? :)

[IReclaimer]

Lithuanian, but I live in the UK now :) I've worked as a Systems Administrator and Infrastructure Engineer for 10 years. I do in house IT for the company I work for, that company also acts as a kind of MSP for other companies. It's a corporate service provider. That's how I've encountered this.

[JD-Animo]

It's interesting to note that Microsoft implicitly suggests using "-all" when it provides the DNS records to add when first connecting a domain. However, at that stage, Microsoft doesn't suggest or mention using DKIM (and doesn't mention DMARC at any stage), and if you use "~all" instead, Microsoft doesn't penalise you and insist that it's wrong.

I suspect that Microsoft are simply assuming that setting the SPF record the way that they prescribe will provide enough basic protection, and anyone with enough knowledge to alter it ought to know what they are doing (i.e. setting up DKIM and DMARC).

Perhaps CIPP should evaluate "~all" as okay only if there are DKIM and DMARC records also found. Ideally, any MTAs mentioned in the SPF record would have at least one DKIM record to match, but I'm not sure if it's worth checking that far.