+all your domain are belong to them
When you allow email to be sent on behalf of your domain by anyone anywhere,then your domain does in a sense belong to anyone who wants it.A common error made by organizations in setting up their SPF records is the use of an overly permissiveall term. This effectively allows every IP on planet Earth to send emails as anyone in your organization.Then your employees, customers, vendors, and well, everyone are vulnerable to phishing attacks and nothing good for your brand reputation can occur from this.The all term, like other so-called SPF mechanism terms have a qualifierproperty symbolized by exactly one of these four characters: +, ?, ~, -.A concise summary of qualifier meanings is given in the following table.qualifiermatch resultexplanation+passThe client sender is authorized to send mail on behalf of the domain.?neutralNo assertion is to be made about the client sender. This is effectively a 'none' result.~softfailSomewhere between rigorous 'fail' and an apathetic 'neutral', the clientsender is not authorized to send email on behalf of the domainhowever the message should probably not be rejected based on the lackof SPF authorization.-failThe client is not authorized to send email on behalf of the domain.An all term without a qualifier will default to +all, while a record withouteither an all or redirect term will default to ?all.For example, the record"v=spf1 all"is identical to"v=spf1 +all"This essentially declares that everybody is free to abuse the reputation of a domain by sendingemail on their behalf. Similarly,"v=spf1"without an all term is the same as"v=spf1 ?all"thus declaring 'meh, send emails from our domain or whatever, we don't care'.Obviously, either of these defaults weakens the email security of your organization.The minimal standard for an all term should be the soft failing ~all.Combined with DMARC intelligence...the organization can move toward a stricter -all.
Fraudmarc can help you with all of your email security protocol needs.
Fraudmarc’s intuitive tools help with managing and monitoring as many authorized senders as required for your business. Fraudmarc continuously monitors and updates SPF records using SPF Compression, so the number of DNS lookups needed to authenticate all of your authorized senders is minimized. Fraudmarc simplifies management of SPF, as well as DKIM and DMARC, with user-friendly tools and recommendations. In addition, Fraudmarc’s offers free DMARC reports, so you will have the tools and information you need to configure your policies accurately.
