Setup guide should not suggest adding an SPF record

[dechamps]

Currently the setup guide recommends adding the following SPF record:

example.com IN TXT v=spf1 a mx include:spf.forwardemail.net -all

This raised my eyebrows. I don't see the point of this particular SPF configuration.

The configuration basically reads "only forwardemail.net is authorized to use a @example.com envelope from address". That seems irrelevant here. forwardemail.net is used to forward email to example.com, not from it.

In and of itself this spurious SPF record is mostly harmless (I guess it could possibly be used to exploit forwardemail.net as a confused deputy to spoof messages, but I can't think of a practical attack vector). But it's confusing to users and makes it harder for beginners to understand how SPF works (because the configuration example makes no sense). It could also potentially result in users breaking their outgoing email setup if they blindly follow the instructions without understanding them.

I would suggesting changing the instructions to:

Optional: if example.com is NOT used to send outgoing mail (more specifically, @example.com is never used in envelope MAIL FROM addresses) then, for backscatter prevention purposes, you might want to add the following SPF record to tell the world they should never expect email to come from this domain:

v=spf1 -all

If the domain is used to send mail, not just forward incoming mail, then keep your existing SPF record as is.

[zecanard]

Yes, in fact @niftylettuce says adding that record is only for SMTP support.

I suppose that’s why there isn’t an SPF check when setting up your domains (only MX and TXT).

[titanism]

Yes, this is for future SMTP support we are working on.