dnswatchdog.iodocs
Issues

SPF Missing Catch-All Policy

The SPF record does not contain a terminal all mechanism.

Severity: Warning

What is SPF?

SPF (Sender Policy Framework) is an email authentication method. Domain owners publish a DNS TXT record specifying which servers are allowed to send email on behalf of their domain. Receiving mail servers check this record to verify the sender.

What is the catch-all mechanism?

The all mechanism is the last entry in an SPF record and defines the default policy for any server that doesn't match the earlier rules. It acts as a catch-all:

v=spf1 include:_spf.google.com -all

The -all at the end means: "If the sender doesn't match any of the authorized entries above, reject the email."

Why this is a problem

Without a terminal all mechanism, your SPF record is incomplete. When a receiving mail server finishes evaluating all the mechanisms and none of them match, the result is "neutral" — meaning SPF provides no opinion on whether the email is legitimate or not. This means:

  • Unauthorized servers can send email from your domain without SPF flagging it
  • Your SPF record provides weaker protection than intended
  • DMARC policies that depend on SPF may not work as expected

What you should do

  • Add -all to the end of your SPF record to reject unauthorized senders (recommended)
  • Use ~all (soft fail) if you're still identifying all legitimate sending sources
  • Avoid ?all (neutral) as it provides no protection
  • Never use +all as it allows anyone to send email from your domain
  • After adding the catch-all, monitor email delivery to ensure legitimate emails aren't affected

SPF Uses Deprecated PTR Mechanism

The SPF record uses the deprecated ptr mechanism which is unreliable and slow.

Invalid DKIM Record

The DKIM record contains syntax errors or an invalid public key.

On this page

What is SPF?What is the catch-all mechanism?Why this is a problemWhat you should do