Just switched my SPF from soft fail to hard fail. Yes, I remember hearing it's recommended to be soft fail, but I only ever send email from my server, and I really want to catch any "misconfiguration" where they don't.
Conversation
Replying to
It doesn't really work properly since SPF can be bypassed by sending it from a different server set for the MAILFROM header not shown by most clients.
DMARC p=reject or p=quarantine is what really matters since it enforces either valid + aligned DKIM or valid + aligned SPF.
2
1
i.e. DMARC enforces that one of those is valid for FROM header.
SPF only has to be valid for either MAILFROM or FROM to pass and most servers won't enforce SPF even when it has a hard fail policy. DMARC actually gets enforced. DKIM/SPF alone are just used for spam filters.