dnswatchdog.iodocs
Issues

Overly Permissive SPF Policy

The SPF record ends with +all, allowing any server to send email on behalf of this domain.

Severity: Critical

What is SPF?

SPF (Sender Policy Framework) is an email authentication method. Domain owners publish a DNS TXT record that lists which mail servers are authorized to send email for their domain. Receiving servers check this record to decide whether to trust an incoming email.

What does +all mean?

Every SPF record should end with an "all" mechanism that defines what happens when a sending server doesn't match any of the authorized entries. The options are:

  • -all — Fail: reject emails from unauthorized servers (recommended)
  • ~all — Soft fail: accept but mark as suspicious (common during rollout)
  • ?all — Neutral: no opinion on unauthorized servers
  • +all — Pass: allow ALL servers to send email for this domain

Why this is a problem

Using +all completely defeats the purpose of SPF. It tells receiving mail servers: "Any server in the world is authorized to send email on behalf of this domain." This means:

  • Anyone can spoof emails from your domain
  • Phishing attacks using your domain will pass SPF checks
  • Your domain reputation may suffer as spammers exploit it
  • DMARC policies relying on SPF become ineffective

What you should do

  • Change +all to -all (hard fail) if you're confident in your list of authorized senders
  • Use ~all (soft fail) as an intermediate step while you verify all legitimate sending sources are included
  • Never use +all in production — there is no legitimate reason for it
  • After changing, monitor email delivery to ensure legitimate emails aren't being rejected

SPF Exceeds DNS Lookup Limit

The SPF record exceeds the 10 DNS lookup limit defined in RFC 7208.

SPF Uses Deprecated PTR Mechanism

The SPF record uses the deprecated ptr mechanism which is unreliable and slow.

On this page

What is SPF?What does +all mean?Why this is a problemWhat you should do