SPF policy could be enforced

[d4rklynk]

SPF policy is currently set to ~all but should be enforced to -all

It will reject (thus, not delivering) mail that aren't sent from the right server.

Sources : Simple explanation : https://www.cloudflare.com/learning/dns/dns-records/dns-spf-record/ Advanced explanation : http://www.open-spf.org/SPF_Record_Syntax/

[dunkOnIT]

Thanks a lot for all of the these issues! It'll take someone more experienced than me to parse and implement them, but great to have all of this raised.

[d4rklynk]

No problem, my pleasure !

[d4rklynk]

See -> Setup SPF

You will read the difference between ~all and -all.

[gregorbg]

I found another article that explicitly recommends ~all over -all: https://www.uriports.com/blog/spf-dkim-dmarc-best-practices/#fn3

What is your opinion?

[d4rklynk]

It will be blocked if the server set in SPF is not the right one. So technically, there won't be any problem if you use the right server (the one of WCA), which btw will always be the case.

[d4rklynk]

But right now, what matters most is to implement a good DMARC policy. Only SPF does something atm since DMARC is disabled.

[d4rklynk]

The workflow is like so if SPF is in fail mode (meaning -all):

• the email will go through SPF check. It fails, thus, it will not even be tested by DMARC check. (you don't receive email for dmarc failed, because it hasn't gone through)

Anf if SPF is in softfail mode (meaning ~all):

• the mail will go through SPF check, SPF will flag it (since it fails the SPF check) and the email will go through DMARC check. DMARC will see it fails SPF check so it will not be delivered (if dmarc policy is set to sp=reject) or it will send it to user mailbox (in spam folder if it's set to p=quarantine or in main mailbox if set to sp=none)

What it means is that if an email fails in the first place, if you have strong dmarc policy (p=reject, adkim={r,s} and aspf={r,s}), the email will not be delivered anyway. The only thing that actually changed is the dmarc report you receive in your dmarc-reports@worldcubeassociation.org mailbox.

I don't know if I'm clear tbh, but at the end, the difference is subtle, and the security behind will almost be the same whether you set spf to ~all or -all.

So, why set -all instead of ~all ? Like the email will not be delivered anyway with strong DMARC policy whether it's in fail mode or softfail mode; it is useless to let an email go through a DMARC check.

[d4rklynk]

The thing here is simple: you can either chose -all or ~all. At the end, you need to trust receivers MTA to read the record and apply them, because they could not.

Like I said, the difference behind these two is subtle (even inexistent).

At least, with this issue, you will know why you chosed one over the other.