Use SPF hardfail - Spamming, the new meta

shoulders · December 2, 2025, 1:00pm

I have always been an advocate of using HardFail in my SPF record but not everyone shares my views, so let me now give you a real life example.

I have been getting spam from pharmacy brand in the UK, however it is not them sending the emails.

The email contains dodgy links etc.

The email is not getting put into my spam folder (some are) and my spam assassin SPF rule is not killing the email because SoftFail is declared at the pharmacies DNS records.

Spammers are now searching for large brands that do not have SPF records or SPF records set up with SoftFail, both of which allows them to send emails from the targeted brands domain (spoofing) and thus getting emails into your inbox appearing to be from these brands.

Just consider the user decide they are clever and hit the reply button to check where the emails is from and this confirms it so they feel they can click the link in the email because it is legit.

dimitrist · December 2, 2025, 1:10pm

you can always tweak your antispam filters to not deliver SPF softfail if you like. but this can also lead to false positives..

and btw, spammers/phishers do not need to search, they -can- use hotmail/outlook/gmail which are allowlisted by default (for some “2big2fail?” reason) and have all the SPF/DKIM/DMARC set allright. ( these are the 3 most frequent spam domains).

2c

shoulders · December 2, 2025, 1:12pm

I probably will as this company is incapable of people reporting cyber security concerns to them. Another Jaguar-Landrover sort of thing.

ID10T · December 2, 2025, 6:12pm

I added a program to hard fail SPF and broke forwarding of a mail account I have elsewhere still. This is a personal server with a few friends and family using the email but I won’t even risk breaking it again because I don’t know what I may be breaking for them. I could have white listed the one domain I know, but…

shoulders · December 2, 2025, 6:13pm

This is a reason for SRS maybe