From 2d9aa20b366dc3f446d6e360aa08829f08e5177a Mon Sep 17 00:00:00 2001 From: KiekerJan Date: Fri, 10 Mar 2023 21:29:05 +0100 Subject: [PATCH] softfail SPF --- management/dns_update.py | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/management/dns_update.py b/management/dns_update.py index 0b6eb676..90ce0fe0 100755 --- a/management/dns_update.py +++ b/management/dns_update.py @@ -308,11 +308,12 @@ def build_zone(domain, domain_properties, additional_records, env, is_zone=True) if not has_rec(None, "MX", prefix="10 "): records.append((None, "MX", "10 %s." % env["PRIMARY_HOSTNAME"], "Required. Specifies the hostname (and priority) of the machine that handles @%s mail." % domain)) - # SPF record: Permit the box ('mx', see above) to send mail on behalf of - # the domain, and no one else. + # SPF record: Permit the box ('mx', see above) to send mail on behalf of the domain, + # and no one else. Set to softfail because we also have DMARC and DKIM as discussed + # here: https://www.mailhardener.com/blog/why-mailhardener-recommends-spf-softfail-over-fail # Skip if the user has set a custom SPF record. if not has_rec(None, "TXT", prefix="v=spf1 "): - records.append((None, "TXT", 'v=spf1 mx -all', "Recommended. Specifies that only the box is permitted to send @%s mail." % domain)) + records.append((None, "TXT", 'v=spf1 mx ~all', "Recommended. Specifies that only the box is permitted to send @%s mail." % domain)) # Append the DKIM TXT record to the zone as generated by DKIMpy. # Skip if the user has set a DKIM record already.