cPanel SPF records always configured for SOFTFAIL, why?

jols

Well-Known Member
Mar 13, 2004
1,110
3
168
Hi,

I keep reading this sort of thing:

Publishing an SPF record that uses -all instead of ~all may result in delivery problems.

So I am wondering why all cPanel SPF records are automatically established with SOFTFAIL "~all", rather than "-all"?
 

kdean

Well-Known Member
Oct 19, 2012
369
61
78
Orlando, FL
cPanel Access Level
Root Administrator
Softfail "~all" is a safe default because receiving mail servers will not as likely block it or send it to a spam folder.

When you set it to "-all" you better make sure that you have all the included servers, IPs, etc. that send email with your domain, otherwise the SPF record will indicate that a server may not be authorized to send mail on behalf of your domain.

So, if you know you have everything you need, then go ahead and set it to "-all" in my opinion.
 

jols

Well-Known Member
Mar 13, 2004
1,110
3
168
Thanks very much for the clarification. This is something I've been grappling with for years, and you've explained it clearly.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,222
463
Hello :)

Yes, the consensus is to avoid hard fails on SPF records since it breaks email forwarding unless the forwarding server uses SRS. The "~all" entry is generally preferred since it gets messages from non-standard senders bumped up in spam detection systems, but doesn't outright fail them.

Thank you.