SPF Record (Strict)
Same as the SPF Record check, plus verifies the record uses an enforcing policy. SPF supports four "all" qualifiers:
| Qualifier | Meaning | Strict check |
|---|---|---|
-all | Hard fail (reject unauthorized IPs) | passes |
~all | Soft fail (mark as suspicious) | passes |
?all | Neutral (no policy) | fails |
+all | Pass everything (effectively no SPF) | fails |
| missing | Implicit ?all | fails |
A ?all policy provides no enforcement value to receivers, which is usually a configuration mistake. Use this check on domains where you want to enforce that SPF actually does something.
Applies to: URIBL and URI hosts.
How It Works
Same lookup as the basic SPF Record check, with one extra step: we walk the SPF tokens looking for the all mechanism and verify the qualifier.
When the record uses redirect=, we follow the redirect target's SPF (up to 5 levels with cycle detection) and check its all qualifier instead. This is necessary because many SaaS senders delegate SPF management via redirect=.
Fails On
- No SPF record found.
- More than one SPF record found.
- No
allmechanism in the record (or its redirect target). allqualifier is?(neutral) or+(pass-everything).redirect=chain has a cycle.
Related Checks
- SPF Record - basic version that accepts any policy.
- SPF Lookup Limit - verifies the SPF record stays under RFC 7208's 10-DNS-lookup cap.