We believe that an SPF record should end in ~all rather than in -all. The answer to why we advise this is two-sided:
- -all could lead to problems with the SPF record itself;
- -all doesn't add additional safety to the record (compared to ~all)
Let's take a deeper dive into how that works.
Why -all could lead to problems with the SPF record
Forwarding and replying to messages is often done without rewriting the Return-Path. This causes the receiving server to perform an SPF check on the wrong (intermediate) host. Obviously, this leads to unexpected 'rejected' messages. Although this is just a configuration error, there are much riskier situations where -all can lead to problems:
Example: when you purchase a domain and have it forwarded to a mailbox of a large provider, such as Microsoft: Microsoft does an SPF check that, of course, fails. In practice, however, this means that the -all policy leads to direct bouncing or spam classification of the mail, while ~all only increases the "spam score", without immediately deciding whether the email passes the check.
Why -all isn't safer than ~all, considering DMARC
SPF itself only checks the Return-Path (MAIL FROM), not the header From (the one that is visible to your recipient). This makes SPF non-effective without a proper DMARC policy. Spammers can easily use an SPF-validated Return-Path and still use a spoofed header From. This is why SPF needs a DMARC policy. However, DMARC treats -all and ~all equally, according to its RFC. So if you take into account the problems that arise with an -all qualifier, using ~all is the better option.
Although -all should be better, the result is this policy is extra bounces. For these bounces, we (as the sender) are held accountable. So, how tempting the -all policy may be, there are close to zero scenarios where this provides extra security.