
Ask HN: Sender Policy Framework (SPF) Records – Qualifiers - rasengan
RFC4408 defines the Sender Policy Framework (SPF).<p>SPF has qualifiers (&quot;-&quot;, &quot;~&quot;, &quot;+&quot;, &quot;?&quot;) which are defined as (fail,softfail,pass,neutral) respectively.<p>There is confusion amongst information online regarding the use of - versus ~.  I need some assistance from an expert.<p>My assumption is that Google uses ~all instead of -all because their _spf.google.com resolves to a _netblocks host which is a dynamic record (according to Google&#x27;s website since they use the word &#x27;current&#x27; when describing the _netblocks) and, therefore, because of DNS propogation delay the ~ was used as opposed to -.<p>However, when I look stuff up on SendGrid support, I get examples using - and ~ for the same scenario (same hosts and so forth).  The only difference is - and ~.<p>My guess is most e-mail clients are properly configured such that ~ softfail pass throughs result in a flagged message indicating that the sender may not be legit.  Is this a safe assumption?  It seems like the big smtp companies made that assumption.<p>https:&#x2F;&#x2F;support.sendgrid.com&#x2F;hc&#x2F;en-us&#x2F;articles&#x2F;202517236 &lt;-- says use -<p>https:&#x2F;&#x2F;sendgrid.com&#x2F;docs&#x2F;Glossary&#x2F;spf.html &lt;-- says use ~<p>Had to turn to HN because at the end its clear nobody has any idea what they are talking about on the interweb.<p>Thanks in advance friends.
======
Spooky23
It depends on how the server applies the rules, how you do business, and how
aggressive you want to be.

If you use external services that send mail on your behalf, and they screw up,
hard fails will sometimes get the message flagged.

If you use Google, they rely on spf and DKIM.

~~~
rasengan
Thank you!

------
kogir
I don't think there's a single "correct" answer here, since varying
implementations do different things.

I've been using _fail_ with all domains I administer for over 10 years without
issue.

What really matters is properly configuring DKIM and DMARC.

~~~
rasengan
Thank you for the response!

