Dmarc SPF policy set to FAIL or SOFT FAIL

Is it okay to have my dmarc SPF policy set to FAIL, or should it be SOFT FAIL? How do I reconfigure it?

That’s the best you can ever do, for your domains.

I would always say aim for the strictest possible policy (e.g. SPF β€œ-all”, and DMARC β€œp=reject; sp=reject, np=reject;”),.

However, as I have said previously, you would like to keep an eye on to the β€œNote”:

β†’ https://dash.cloudflare.com/?to=/:account/:zone/dns/records

  1. Find all your DNS record(s) with the type TXT, where the content starts with β€œv=spf1”.

  2. For those SPF record(s), you need to change the end of them to become β€œ-all”.
    If they currently have another ending of e.g. β€œ?all” (neutral), or such as β€œ~all” (softfail) as you mention, replace the character before β€œall” with β€œ-”, so it becomes β€œ-all”.

After this change, Cloudflare Email Routing (and likely others) may similarly, and consistently with the β€œNote” above, start rejecting the messages that you send towards them, if your own messages fails to comply with your new policy, unless e.g. a valid DKIM signature will be overruling the result of the SPF check on the destination.

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.