Drew McCurdy
asked on
Improving email reputation with SPF "Hard Fail"
We’ve recently worked with our email provider (we outsource) to create and add DKIM, SPF, and DMARC records in an effort to improve our domain’s email reputation, specifically, with Google as email to gmail accounts have been getting denied as of late. I will say that it’s made a significant improvement in mail getting through.
However, in one dmarc report from Google, there are blocks of IPs in Hong Kong and other countries spoofing our domain. I thought about editing the SPF record with a “-all” in order to “Hard Fail” any servers that aren’t in our list of approved senders, but given my inexperience, I’m concerned about False Positives. Currently, we are “Soft Failing” with “~all”. Any recommendations here?
However, in one dmarc report from Google, there are blocks of IPs in Hong Kong and other countries spoofing our domain. I thought about editing the SPF record with a “-all” in order to “Hard Fail” any servers that aren’t in our list of approved senders, but given my inexperience, I’m concerned about False Positives. Currently, we are “Soft Failing” with “~all”. Any recommendations here?
as long as you have correct hosts defined in SPF and minimum included lookups in SPF, you should be fine
further if you are using bulk email providers, delegate subdomains of your main SMTP domains to bulk service providers to send out bulk emails
This will save your base domain reputation intact / untouched and SPF / DKIM / DMARC will get checked against sub domain and if that gets compromised, you can revoke it any time and build another sub domain
also do not forget to add bulk email providers spf as included lookups in SPF
further if you are using bulk email providers, delegate subdomains of your main SMTP domains to bulk service providers to send out bulk emails
This will save your base domain reputation intact / untouched and SPF / DKIM / DMARC will get checked against sub domain and if that gets compromised, you can revoke it any time and build another sub domain
also do not forget to add bulk email providers spf as included lookups in SPF
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Based on your comments, it sounds like, for now, I should leave well-enough alone. Thanks for your input. Greatly appreciated! Drew
I just went through this recently for a project.
What I can say is this, so long as your DKIM is working + your SPF records are set to loose, you'll be good.
For first few days of this project, I was actually sending out of an IP missing from SPF + Gmail accepted 100% of email, at a rate of 15K+/day.
2) However, in one dmarc report from Google, there are blocks of IPs in Hong Kong and other countries spoofing our domain.
This is working exactly as expected. Spoofers will either be blocked completely or will end up in Spam folders.
3) I thought about editing the SPF record with a “-all” in order to “Hard Fail” any servers that aren’t in our list of approved senders, but given my inexperience, I’m concerned about False Positives. Currently, we are “Soft Failing” with “~all”. Any recommendations here?
Generally ~all is better. This allows for some problems of your actual mail relay service, while still blocking or Spamming spoofers.
Tip: Be very careful your DKIM is actually working. The easy way to tell is to send an email to any Gmail user, then...
Select the message -> select more (3x dots) -> Original message -> Ensure the DKIM line (last line of message headers) shows pass, rather than fail.