SPF and the difference between fail and soft fail

Discussion in 'Tips/Tricks/Mods' started by sgrayban, Dec 11, 2006.

  1. sgrayban

    sgrayban New Member

    Ever looked at your SPF records that ISPConfig creates for you? Remember that last critical question it asked when you created it?
    When you answer 'yes' it sets the 'softfail' setting which isn't always a good thing. The softfail is "~all" which means that your domain can still be spoofed because most email servers allow mail to still go through with that error.

    A complete fail is "-all" which means if it doesn't come from any of the assigned IP's or MX its fake and do not trust it.

    I changed the default behaviour from ~all to -all since that would be the correct way to do it now. SPF is very stable and there is no real reason to allow a 'softfail' or 'tempfail' to happen still. That was the old way to do it while SPF was still in beta and it isn't anymore.

    If you want to change the default way edit the file
    search for '~all' and change to '-all'. It's around line 258.
        if($spfrecord['all_'] == 1){
          $spf .= '-all';
        } else {
          $spf .= '?all';
    That's it. Now if email is sent from outside the defined settings receiving email servers that check for SPF will discard and fail the email and prevent spoofing of your domains by spammers.

Share This Page