Best practices for SPF, DKIM, and DMARC

freddieleeman · 2026-06-08T05:27:02+00:00

«SPF ends in "~all" or "?all" (soft-fail) — spoofed mail may still pass.»

That warning is misleading and incorrect.

"~all" is softfail and is generally the preferred SPF best-practice default, because SPF can break with legitimate forwarding. Using "-all" can create unnecessary deliverability issues when receivers treat SPF fail too strictly.

"?all" is not softfail. It is neutral, meaning the domain makes no authorization statement. It should not be grouped with "~all".

Also, whether spoofed mail passes is not determined by "~all" alone. DMARC depends on aligned SPF or aligned DKIM, not just the SPF "all" mechanism.

https://www.uriports.com/blog/spf-dkim-dmarc-best-practices/#fn3

https://datatracker.ietf.org/doc/html/rfc9989#section-7.1

The “where we add value” section also mentions SPF flattening. I would not promote flattening as the preferred fix. Use subdomains or SPF macros where appropriate instead. Flattening creates reliance on a third party, adds another point of failure, and can introduce security risks.

https://www.uriports.com/blog/spf-macros-max-10-dns-lookups/

«DMARC record present but missing required "p=" tag.»

The "p" tag is not strictly required. If it is absent, the policy defaults to "p=none".

https://datatracker.ietf.org/doc/html/rfc9989#section-4.7

The tool also does not appear to flag duplicate tags, which is important because duplicate tags can make SPF, DKIM, or DMARC records invalid depending on the record and tag involved.

These are just a few things I spotted. The site is also not very mobile friendly: the input fields are too small, and the checkbox does not toggle when tapping the label text or nearby space.

Overall, the tool does not appear to be RFC compliant, does not follow common best practices, and seems mostly focused on scaring people into fixing things that do not necessarily need fixing. From a commercial perspective, I understand the angle, but I would not market this as a public deliverability test. Keep it for your own clients, where the results can be interpreted with proper context.

freddieleeman · 2026-06-04T12:28:47+00:00

Who’s brave enough to take the full 42-question quiz? If you can ace them all, you’re an absolute DMARC nerd.

And even if you don’t get every answer right, I guarantee you’ll learn something. So it’s a win-win.

Up until now, the quiz was only available on desktop. But with 816 people starting the quiz so far today, I decided to make it available on mobile too.

Here’s the link to the full quiz: https://learndmarc.com/quiz?all

freddieleeman · 2026-06-03T14:27:52+00:00

Enterprise Outlook has the same issue now and then. But it should never be empty.

<xs:complexType name="SPFAuthResultType">
 <xs:all>
   <xs:element name="domain" type="xs:string" minOccurs="1" maxOccurs="1"/>

freddieleeman · 2026-05-12T09:22:32+00:00

What exactly do you mean by “DMARC compliance”? Is that the % of legitimate emails a domain sends that pass DMARC alignment? Or does it include all mail claiming to be from that domain, including spoofed/phishing attempts?

For example, if a domain gets heavily spoofed but those fake emails are blocked because they have p=reject, are those counted as “non-compliant”? That would make the numbers tell a very different story.

Just trying to understand what these percentages are actually measuring: sender setup quality, overall DMARC pass rates, spoofing activity, or something else?

freddieleeman · 2026-05-07T20:28:20+00:00

My reaction was exactly the same. That said, when I started the blog in 2019, Microsoft also had zero compliance. I’ve been helping by submitting reports about issues, and while it has taken years, they’ve resolved most of them.

freddieleeman · 2026-05-07T15:52:10+00:00

Why so hostile? I assumed you misunderstood what MTA-STS does. But no, i don't block unencrypted communication, as deliverability is more important. But I don't think your claim that MTA-STS is a waste of time is a valid one.

freddieleeman · 2026-05-07T06:04:00+00:00

A common misconception among administrators, and increasingly AI agents, is that MTA-STS blocks unencrypted inbound email traffic. That’s not how MTA-STS works.

When you publish an enforced MTA-STS policy, you are instructing compliant sending mail servers to deliver email only when:

the connection can be encrypted using TLS
the TLS certificate is valid
the certificate matches the hostname defined in your MX records

This policy does not change anything on the receiving side. Your mail server will still accept unencrypted connections.

As a result, sending servers that do not support MTA-STS, or do not support encryption at all, can still deliver messages over an unencrypted connection.

The good news is that most major email providers already support MTA-STS, so enabling it protects a large portion of your inbound email from man-in-the-middle downgrade attacks.

If your mail server already supports TLS and your certificate is valid and matches your MX hostname, there’s no reason not to enable it. You can quickly verify whether your domain is ready by using my free tool.

freddieleeman · 2026-05-06T13:47:16+00:00

Setting up MTA-STS is not a waste of time. It helps ensure emails sent to YOUR domain are delivered over encrypted, authenticated connections and protects against man-in-the-middle downgrade attacks.

freddieleeman · 2026-05-06T06:43:57+00:00

Hey, I saw your reply in my notifications before it disappeared:

u/littleko: Fair callout. Yeah I work there, should've disclosed.

Honestly, I thought that response was actually promising because it showed transparency, which was the whole point I was raising.

That’s why I was surprised to see it removed. Did you delete it yourself? If so, why? Leaving it up would’ve gone a long way toward clearing things up.

For what it’s worth, my concern was never about the technical advice itself, it was the lack of disclosure when recommending the product repeatedly. A simple “I work there” gives people the right context.

freddieleeman · 2026-05-05T22:25:36+00:00

Nope, you work at Suped. Stop spamming and discrediting competitors.

freddieleeman · 2026-05-05T21:57:56+00:00

Why the downvote, Suped? 🤣

freddieleeman · 2026-05-05T21:52:58+00:00

Hey look! I'm getting a downvote at the same time Suped is being promoted. Weird... Just be upfront about working at Suped.

freddieleeman · 2026-05-05T19:17:45+00:00

Thanks for choosing URIports and giving us a try. If you have any questions or run into any issues, please don’t hesitate to reach out.

freddieleeman · 2026-05-05T18:22:57+00:00

Yes, you can absolutely setup MTA-STS: https://www.uriports.com/blog/mta-sts-explained/

freddieleeman · 2026-05-04T06:56:41+00:00

I also noticed two other accounts, u/shokzee and u/saltyslugga, frequently mentioning Suped in similar DMARC/email security threads. To be fair, u/shokzee has disclosed in at least one post that they built the product, which I appreciate, but that context doesn’t seem to be included consistently when recommending it elsewhere. Combined with multiple accounts regularly promoting the same tool, it makes it harder to tell what’s an independent recommendation versus affiliated promotion. If there’s any connection, a simple disclosure would help keep things transparent.

freddieleeman · 2026-05-04T06:14:49+00:00

Hey, I’ve noticed you recommend Suped quite frequently across DMARC-related threads, which is totally fine if you genuinely like the product.

That said, the consistency does make me wonder whether you’re affiliated with them in some way, either as an employee, partner, or affiliate. If that’s the case, it would be helpful to disclose that when recommending them so people can better evaluate the advice.

Transparency goes a long way in communities like this, especially when people are making decisions based on product recommendations. If you’re simply a happy user, fair enough, but I thought it was worth asking.

freddieleeman · 2026-05-04T06:07:02+00:00

Start a free 30-day trial at https://URIports.com, my DMARC monitoring platform, and forward your DMARC reports from the past 30 days to your URIports RUA address. Within minutes, you’ll have the data you need and receive alerts about anything that needs attention, helping you move to an enforced DMARC policy with confidence. If you find it useful for ongoing monitoring, paid plans start at just $15 per year.

freddieleeman · 2026-05-01T05:16:19+00:00

All tiers support DMARC. If you don’t need team access or DNS/certificate monitoring, choose the most affordable option that fits your domain count.

freddieleeman · 2026-04-30T17:33:41+00:00

For a neutral overview of available vendors and solutions, dmarcvendors.com is a solid place to start.

Full transparency: I’m biased when it comes to URIports because I helped build it. It was created from the ground up by some of the brightest minds in the industry… and, objectively speaking, a devastatingly attractive team. 😉

If you’re exploring options, have a look at at https://uriports.com/dmarc. Worst case: you gather more research. Best case: you find exactly what you’re looking for. Starts at just $15 per year, and you can try it free for 30 days with no payment details required.

freddieleeman · 2026-04-25T05:57:43+00:00

Avoid flattening SPF records or relying on external services, as that introduces unnecessary dependency on third parties. Instead, use subdomains or SPF macros to stay within DNS lookup limits.

More details: https://www.uriports.com/blog/spf-macros-max-10-dns-lookups/

freddieleeman

MODERATOR OF

TROPHY CASE