SPF -all instead of ~all by default. Making it default. DNS template change.

[needhelppp]

Hi.
I have an issue and would like to find out couple things. Maybe someone can help me.

1) I have noticed that recently there are people in various places saying that we should change an SPF record last part in our DNS zones from ~all to -all. For example here: https://help.directadmin.com/item.php?id=596
It says "Be sure your SPF TXT value contains "-all" (not ~all), and you have DKIM setup before proceeding." so I guess that is important. So the first question is WHY is it important? Why does this have to change? What does it actualy do and what does it actually change? (I have not found the answers to that yet, but I would like to know).

2) Secondly, after we find out the WHY we have to change it, and if it is a security issue, or technical update of some sort, then the question is How do I make all new DNS records created in DirectAdmin (Domain added) to use this sort of SPF record in it? How do I adjust the default DNS template, basically?
And Why not make -all a default if it is necessary (according to DirectAdmin admins).

3) And here i come to third question. If there is a need to adjust DNS templates, why there is no easy way to do so and I have to bother people here and there, to find out? CPanel has integrated DNS Template editor. Does DirectAdmin have that? ;/

Thanks!

 

[mxroute]

This will update all SPF records in DNS zones on the server to "-all" instead of "~all" :

sed -i 's/~all/-all/g' /var/named/*.db
echo "action=rewrite&value=named" >> /usr/local/directadmin/data/task.queue

This will set it as your new default:

sed -i 's/~all/-all/g' /usr/local/directadmin/data/templates/dns_spf.conf

Make sure to request a GUI DNS template updater here: https://feedback.directadmin.com

 

[needhelppp]

Nice one! will try this right now.
Maybe you could answer to those questions as well? I really would like to know what's the difference between ~all and -all. Why they changed it. And why DirectAdmin did not set the default to -all themselves, but still use ~all, even though they tell to use -all.
Cheers!

 

[mxroute]

I really would like to know what's the difference between ~all and -all

Sure. I like to explain it in a more "story-like" way:

Let's say that my domain is mydomain.com, and my SPF record is:

"v=spf1 +a ~all"

Basically what I've said is: "The primary IP of the domain mydomain.com is allowed to send mail for my domain. If you, the recipient, receive mail from a different IP claiming to represent my domain, please do what you want with it."

Now if I change it to:

"v=spf1 +a -all"

I'm now saying: "The primary IP of the domain mydomain.com is allowed to send mail for my domain. If you, the recipient, receive mail from a different IP claiming to represent my domain, please reject it."

Why they changed it.

It's always been the better option, but "~all" assumes maybe you don't keep your SPF record updated with the IPs allowed to send mail for your domain. So if you're lazy or not paying attention, then ~all makes sense. Over time it just became so widely used that people would open with "you should use this" and almost no one ever knew why they did it, they just did what someone told them to do.

why DirectAdmin did not set the default to -all themselves

Fair question. They probably either suspect that it will generate support tickets from users who don't pay attention to their SPF record, or they just kind of set it one day and never thought about it again. I'd imagine they're open to the idea.

 

[needhelppp]

Great explanation!
So I guess I don't need to change it for all domains, only for those who require -all for technical reasons (like DMARC). Others can stay as they are, because SPF is still fully functionable.
And to clarify about the lazyness: You mean if the actual IP for the DNS zone would somehow change, but SPF record would be the same (for some reason), then it would tell the receiver that this sender designates that OLD ip as sender, but if you receive it from different IP then do whatever you want. Clearly that would be SPF failing, right?
But I guess teh point is that it still would send it? As in -all it would just reject it completelly and receiver would not even be able to see it even in spam folder?

Is that correct?

Thank You very much!

 

[mxroute]

Great explanation!
So I guess I don't need to change it for all domains, only for those who require -all for technical reasons (like DMARC). Others can stay as they are, because SPF is still fully functionable.
And to clarify about the lazyness: You mean if the actual IP for the DNS zone would somehow change, but SPF record would be the same (for some reason), then it would tell the receiver that this sender designates that OLD ip as sender, but if you receive it from different IP then do whatever you want. Clearly that would be SPF failing, right?
But I guess teh point is that it still would send it? As in -all it would just reject it completelly and receiver would not even be able to see it even in spam folder?

Is that correct?

Thank You very much!

Basically yeah. If the SPF is wrong and has a ~all it isn’t generally handled as harshly as it would be if it’s wrong with a -all. A soft fail vs a hard fail. In the end it’s just a request though, the recipient server can still ignore it and do what they want in either case.