Change to some default SPF mail DNS records (softfail instead of neutral)

This post describes a technical change that most customers can ignore; we’re posting it for advanced users who may be interested.

If you have hosting service with us, we publish a default SPF record in your DNS zone if you don’t provide one yourself.

In most cases, that record has ended with an SPF “neutral” default, like this:

v=spf1 a/24 mx/24 ptr ?all

However, with the recent increase in forgery and spoofing of addresses in spam, many domain names would benefit from a stronger “softfail” default, like this:

v=spf1 a/24 mx/24 ptr ~all

“Softfail” used to occasionally cause “false positives” if you sent mail that was later forwarded — it could be wrongly tagged as possible spam. That’s less of a problem nowadays, though, as most spam filtering systems check DKIM signatures in addition to SPF records to avoid this (and we use DKIM to sign outgoing mail).

Because of that, we’ve changed the SPF default for mail hosted with us to ~all (softfail), like most similar services.

Note that this only applies to domain names where we handle the mail completely. If you’ve added custom MX records in our control panel, the default will still be the ?all (neutral), since you may also be sending mail from other servers — and if you’ve added your own SPF record, we don’t publish a default SPF record at all. The “Can I add my own SPF or DKIM entries?” section of our DNS editing page explains more about how you can add one.

It’s unlikely that our customers will notice any change as a result of this, except perhaps increased protection against spammers forging your address. But of course, don’t hesitate to contact us if you have any questions or trouble.