View Single Post
Old Apr 17, 19, 6:10 am
Join Date: Jan 2016
Location: LON
Programs: BAEC, Accor
Posts: 2,047
To be fair to QR, in an SPF record ~all (soft fail) is valid configuration, it's just that it has a different impact to -all (hard fail). For various business reasons QR may need the soft fail because they have various systems they might not be 100% in control of which need to transit email on behalf of Qatar that they do not want to clobber with unintended consequences and end up impacting customer communications.

For those readers now scratching their head with all this technobabble, an SPF record is a way for a domain owner to assert what systems are permitted to send email on behalf of their domain. Qatar have published a record but if someone doing a lookup finds that an email being received is coming from a system that is not on the list the soft fail directs them to treat the message with more suspicion that it might be forged or coming from an untrustworthy source rather than outright reject it (hard fail). The suggestion is that if Qatar had made the SPF instruction to be hard fail then the fraudulent email might have been rejected before it was delivered.
plunet is offline