cPanel SPF records always configured for SOFTFAIL, why?

jols

Well-Known Member
Mar 13, 2004
1,107
3
168
Hi,

I keep reading this sort of thing:

Publishing an SPF record that uses -all instead of ~all may result in delivery problems.

So I am wondering why all cPanel SPF records are automatically established with SOFTFAIL "~all", rather than "-all"?
 

kdean

Well-Known Member
Oct 19, 2012
390
70
78
Orlando, FL
cPanel Access Level
Root Administrator
Softfail "~all" is a safe default because receiving mail servers will not as likely block it or send it to a spam folder.

When you set it to "-all" you better make sure that you have all the included servers, IPs, etc. that send email with your domain, otherwise the SPF record will indicate that a server may not be authorized to send mail on behalf of your domain.

So, if you know you have everything you need, then go ahead and set it to "-all" in my opinion.
 

jols

Well-Known Member
Mar 13, 2004
1,107
3
168
Thanks very much for the clarification. This is something I've been grappling with for years, and you've explained it clearly.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,884
2,245
463
Hello :)

Yes, the consensus is to avoid hard fails on SPF records since it breaks email forwarding unless the forwarding server uses SRS. The "~all" entry is generally preferred since it gets messages from non-standard senders bumped up in spam detection systems, but doesn't outright fail them.

Thank you.
 

eugenevdm.host

Well-Known Member
Oct 21, 2019
72
9
8
Cape Town
cPanel Access Level
DataCenter Provider
...
Yes, the consensus is to avoid hard fails on SPF records since it breaks email forwarding unless the forwarding server uses SRS. The "~all" entry is generally preferred since it gets messages from non-standard senders bumped up in spam detection systems, but doesn't outright fail them.
...
More incredible knowledge that I never knew! Thank you, was wondering why we are getting hard fails on forwarders.

@kdean, sorry for replying to a 7 year old post, but fortunately SRS is now available:

whm_srs_support_via_exim.png
 

eugenevdm.host

Well-Known Member
Oct 21, 2019
72
9
8
Cape Town
cPanel Access Level
DataCenter Provider
Yeah, replies this old make me go wait, that's me up above. What did I have to say? What was I talking about? ... and do I still agree with myself? And I still do.
For the good of the next generation I sometimes reply on old posts to send good karma for solved problems, because, frankly, it makes me happy. Ahem.