Hello! I'm new to email setup and today I want to setup SPF DNS record. I've already read this article: - https://www.cloudflare.com/learning/dns/dns-records/dns-spf-record/ So I want to authorize the servers from the MX records. And, I believe the -all option is more secure. But I'm not sure if it's "too strict" in refusing unauthorized emails. And the ~all option allows spam. I would like to know from you, who have more experience, which of these records should be used for a secure and professional email. Thank you very much.
SPF is for receivers of mail from your domain to verify if it's coming from a trusted server. In short, to prevent spammers being able to misuse your domain. Most secure is using the -all option. It's more strict. Unless your not entirely sure your SPF record contains all servers that may send mail from your domain. People often forget the webserver hosting their website which has a form. Next to SPF also create a DMARC record. It's mandetory to exist for more and more mailservers every day. If you have none it's posible your send mail will be rejected just for that reason. And implement DKIM if you can (it's default functionality in ispconfig's mailserver but you have to activate it).
start with ~all yes, it'll still allow other servers to send mail. but they should get marked as suspicious in some way. then, as suggested above, set up DMARC, start with setting it using p=none, or at most, p=quarantine and have it set to send report messages to an address you can access. leave the settings like that for an extended period, checking the report emails during this period. once you're happy that every server that should be allowed to send mail for that domain is able to send mail properly everywhere without issues you can then think about switching the SPF record to use -all, and the DMARC record to use p=reject i know it's tempting to start off with the strictest quarantine/rejection settings, but it's harder to tell if anything's going wrong, and why.
Depends on if you're in full control of everything domain related regarding the domain in question. When it's a domain of a customer of which you don't excactly know what they are all doing with it then you're absolutely right.
