Hello! I'm new to email setup and today I want to setup SPF DNS record. I've already read this article: - https://www.cloudflare.com/learning/dns/dns-records/dns-spf-record/ So I want to authorize the servers from the MX records. And, I believe the -all option is more secure. But I'm not sure if it's "too strict" in refusing unauthorized emails. And the ~all option allows spam. I would like to know from you, who have more experience, which of these records should be used for a secure and professional email. Thank you very much.
SPF is for receivers of mail from your domain to verify if it's coming from a trusted server. In short, to prevent spammers being able to misuse your domain. Most secure is using the -all option. It's more strict. Unless your not entirely sure your SPF record contains all servers that may send mail from your domain. People often forget the webserver hosting their website which has a form. Next to SPF also create a DMARC record. It's mandetory to exist for more and more mailservers every day. If you have none it's posible your send mail will be rejected just for that reason. And implement DKIM if you can (it's default functionality in ispconfig's mailserver but you have to activate it).
start with ~all yes, it'll still allow other servers to send mail. but they should get marked as suspicious in some way. then, as suggested above, set up DMARC, start with setting it using p=none, or at most, p=quarantine and have it set to send report messages to an address you can access. leave the settings like that for an extended period, checking the report emails during this period. once you're happy that every server that should be allowed to send mail for that domain is able to send mail properly everywhere without issues you can then think about switching the SPF record to use -all, and the DMARC record to use p=reject i know it's tempting to start off with the strictest quarantine/rejection settings, but it's harder to tell if anything's going wrong, and why.
Depends on if you're in full control of everything domain related regarding the domain in question. When it's a domain of a customer of which you don't excactly know what they are all doing with it then you're absolutely right.
SPF policy (or policies) have to be as strict as possible. Combine them with blocklists. Not the one publicly available where you can pay to be delisted (circa 99% of well-known public lists) but real one; written from scratch by you. Beware: it will grow significantly over time; thats good; the more entries, the better, cleaner browsing experience you have.
Ofcourse, but that wasn't the discussion at all. As hoster you can only do so much based on the info given by your customer. And they always forget something and then come knocking they're having issues with their mailflow. Only when you know ALL ins and outs you can go to the max. So when you're just starting like @natanfelles you don't start at the top but work your way towards it, step by step and testing everything every step. That has nothing to do with SPF! Blocklists are for filtering inbound mail while SPF gives the receiving end a way to verify the origin for your outbound mail.
