
Ask HN: Time to start rejecting SPF soft fails? - jorangreef
With the rise of phishing and forgeries, is it safe to continue accepting emails which soft fail the sender&#x27;s SPF policy?<p>Is it time to start rejecting soft fails with a clear bounce message, rather then silently sending soft fails to the spam folder?<p>Two thirds of our soft fails are obvious forgeries and phishing attacks and spam, but one thirds are legitimate senders with poor sending infrastructure who would be impacted.<p>Should we continue to tolerate misconfigured SPF policies, and let the clients of misconfigured sending ISPs believe everything is well, or should we start to make a change towards a safer email environment?
======
technion
I have a lot of experience managing spam filters for fairly busy domains. I
have about 150 domains whitelisted because they are trusted business contacts
that HARDFAIL SPF and blocking their email is a total nonstarter for the
organisation.

An extraordinary amount of legitimate email soft fails SPF. I really would
like such senders to start being punished for this - but at present, it just
isn't feasible unless you have a very small domain and are happy to comb
through quarantines.

