SPF Restrictiveness

What This Check Does

The SPF Restrictiveness check examines your SPF record to verify it does not contain "+all" as its catch-all mechanism. The "+all" mechanism tells receiving mail servers that ANY server is authorized to send email on behalf of your domain, completely defeating the purpose of SPF authentication.

DNS Spy parses your SPF record and checks the "all" mechanism. If "+all" is present, this check fails.

Why It Matters

An SPF record with "+all" is worse than having no SPF record at all. It explicitly tells the world that every mail server is authorized to send email as your domain. This is essentially an open invitation for spammers and phishers to abuse your domain. While "~all" (softfail) and "-all" (hardfail) provide increasing levels of protection, "+all" provides none.

This misconfiguration sometimes occurs when administrators copy example configurations without understanding the mechanisms, or during testing that is never reverted to production settings.

NIST SP 800-81, Section 6, recommends restrictive email authentication policies. DNS Spy helps you identify and correct overly permissive SPF configurations.

NIST SP 800-81 Compliance

Section 6 of the NIST Secure DNS Deployment Guide emphasizes restricting email sending authorization. An SPF record with "+all" directly violates this guidance. DNS Spy monitors your SPF record restrictiveness to ensure compliance with NIST email security recommendations.

Good vs. Bad Configuration

Bad Configuration

"v=spf1 include:_spf.google.com +all" — The +all mechanism authorizes every server on the internet to send email as your domain, nullifying SPF entirely.

Good Configuration

"v=spf1 include:_spf.google.com -all" — The -all mechanism (hardfail) tells receiving servers to reject email from unauthorized servers. Alternatively, "~all" (softfail) flags unauthorized email without outright rejection.

How DNS Spy Monitors This

DNS Spy parses your SPF record during each monitoring cycle and evaluates the "all" mechanism. If "+all" is detected, an alert is triggered immediately. DNS Spy also tracks changes to your SPF record, ensuring that restrictive policies are not accidentally weakened.