What does a "-all" do in an included (secondary) SPF record?

Question

In an SPF record, the -all option means “I am whitelisting just the machines/domains I am explicitly listing here, and no other servers can originate email for this domain.”

So what does it mean when one uses the include: option in an SPF record to include a second SPF record, and that secondary SPF record has -all? What is the effect of it being there?

score 4 · Answer 1 · edited Oct 07 '21 at 07:34

The include mechanism will trigger a recursive evaluation for the included record. If this evaluation fails (e.g. by a -all in the included record), the result of the include mechanism will be considered a "Not match". So in practice a -all mechanism (or any other mechanism with - qualifier) in an included SPF record does not have any effect on the evaluation of the primary record.

A full overview of how the include mechanism affects the evaluation of the primary record can be seen in the table in section 5.2 of RFC 7208 (https://www.rfc-editor.org/rfc/rfc7208#section-5.2)

score 4 · Answer 2 · answered Jan 16 '17 at 13:39

For an SPF check to pass, the sending IP address must pass at least one of the mechanisms. Include mechanisms test the incoming IP address using the included SPF record and 'return' the result.

Using your example:

a.example.com    IN TXT "v=spf1 include:b.example.com +all"
b.example.com    IN TXT "v=spf1 -all"

The included record will return fail, since it only contains a -all mechanism. However, the first record will pass because it has a +all mechanism.

Using a more detailed example:

a.example.com            IN TXT "v=spf1 ip4:1.2.3.4 mx include:spf.example.org -all"
a.example.com            IN MX  0 mailserver.example.com
mailserver.example.com   IN A   1.2.3.5
spf.example.org          IN TXT "v=spf1 ip4:4.3.0.0/16 -all"

I will write down the result of each mechanism in the same order they are specified in the record. So, the results will be formatted as such:

a.example.com: [ip4] [mx] [include] [-all]
spf.example.org: [ip4] [-all]

With the following sender addresses:

1.2.3.4

spf.example.org -> fail fail
a.example.com -> pass fail fail fail

The final result will be pass, since at least one check passed

1.2.3.5

spf.example.org -> fail fail
a.example.com -> fail pass fail fail

The final result will be pass, since at least one check passed

4.3.10.20

spf.example.org -> pass fail
a.example.com -> fail fail pass fail

The final result will be pass, since at least one check passed

TL;DR: The include mechanism is evaluated separately and the result passed back to the evaluation of the record that included it. Record evaluation fails if no mechanisms match. Since you ended your example with +all, it will always match and therefore pass.

score 0 · Answer 3 · edited Jan 16 '17 at 13:34

0

The -all at the end is interpreted after any includes are handled.

Its purpose is to communicate how emails not sent through the listed resources should be treated.

-all means drop them as forgeries while ~all means they might still be legitimate and should be treated with more suspicion.

edited Jan 16 '17 at 13:34

fixer1234

28,064

answered Jan 14 '17 at 11:34

davidgo

73,366

What does a "-all" do in an included (secondary) SPF record?

3 Answers3