cammurray
commented
2 years ago @amcl61 cheers for the article. IMO the advice is only really valid in instances where DMARC is deployed and in some level of enforcement (which still sucks how many organizations are not here yet).
Possibly what we could do here is consider SPF soft-fail informational in instances of a p=reject/p=quarantine DMARC policy on the matching domain. The only concern here that i have is instances of subdomains this is going to become a bit complicated (SPF needs explicit records on the subdomain where DMARC falls back down the chain in absence of an explicit record at the subdomain).
amcl61
Hello,
We use the Valimail product for DMARC which their spf macro uses softfail, ~all, sample below. We are receiving "Not Recommended -5" on our domains and subdomains.
v=spf1 include:%{i}._ip.%{h}._ehlo.%{d}._spf.vali.email ~all
There are other companies using their product for DMARC eg. Uber.com
I've attached their document as to why they use softfail instead of hardfail and would like the SPF area for "Set up SPF records to prevent spoofing" to consider not marking these as needing improvement and instead as ok.
https://support.valimail.com/support/solutions/articles/48001197890-why-valimail-uses-an-spf-soft-fail-and-not-a-hard-fail
Thank you,