SPF: Is ?all safe, and is it any different from having no policy at all?

by Chris   Last Updated August 14, 2019 18:00 PM

A company I started working with had no SPF records on their domain. They are using multiple services (Google Apps and Shopify) that are sending e-mails from the company's domain with the company's domain in the Return-Path. They never experienced problems.

The company has started using a new online customer service app, and some of those customer emails went to spam. To which their support responded that we can fix it by adding v=spf1 include:spf.gorgias.io ?all.

I was unaware that they didn't have any SPF records so I helped them out by including the google apps and shopify SPF records as well. But that resulted in too many lookups.

I'm deciding what to do right now but I have some trouble understanding the repercussions of some of these changes;

  1. Let's say we had just added the gorgias spf record as they suggested. What would that have done to the spf validation against the services like shopify that were already sending emails? Do they now have a bigger risk of ending up in spam, or is there no change there since there was no SPF record before?

  2. Is ?all a safe option to use? Or should we go for a ~all qualifier and figure out a way around the amount of lookups. like using a different subdomain for support requests for example. If I understand correctly, now every sending server is allowed to pass with ?all.

Thank you very much

Tags : spf

Related Questions