kot0dama
commented
7 months ago I don't really agree with this stackoverflow comment.
If you use DMARC with passing both SPF and DKIM as a requirement, I would stick with an SPF hard rejection as it makes no sense to wait for DMARC to reject after SPF has soft passed.
Also, not all servers enforce DMARC policies, while many already enforce SPF policies as it is simpler to deploy. Which means it does not matter if you are using DMARC, but if all SMTP servers are using DMARC, which means you need a strict SPF policy whether you use DMARC or not.
If you want to use a DMARC policy allowing to pass if only one of SPF or DKIM passes, then it might make sense. But I believe most of the time you want to fail DMARC if either SPF or DKIM fails.
Using
-allmay not be the best idea according to:https://stackoverflow.com/questions/64495457/all-all-and-all-in-dns-spf-configuration