SPF and DMARC - is spf policy used?

Solution 1:

It just checks if the IP/Host is in the SPF record , the overall logic is:

If the sending IP address is contained in the SPF record = SPF PASS
If the sending IP address is not contained in the SPF record = SPF FAIL

(see sites like http://knowledge.ondmarc.com/learn-about-dmarc/all-you-need-to-know-about-spf-dkim-and-dmarc where the above logic is quoted from).

The policies of DMARC and SPF are independent. I would not change SPF policies because there is a DMARC policy. You should consider that not all mail servers use DMARC but do use SPF. So the SPF policy should make sense on its own.

Solution 2:

DMARC actually evaluates your SPF result, looking for a PASS, as well as alignment between the smtp.mailfrom domain and the header.from domain. As long as SPF does not produce a pass, (whether you have ?all, ~all or -all mechanism at the end), DMARC will not consider the SPF result a PASS. The same holds true for DKIM. The header.d domain should align with the header.from domain and the result should be PASS.

However, and to answer your question partly, some servers will interpret an SPF hard fail (-all) as a reason to reject your emails, even though it passes DMARC on DKIM.

On the other hand, not all receiving servers check on DMARC. So an SPF soft fail (~all)will not cause an email to be rejected on it's own (generally speaking). At the same time SPF is not the greatest tool for protecting against spoofing, since SPF is checked on the smtp.mailfrom domain instead of the header.from domain, and only the latter is visible to the recipient (in most client software). And thus the alignment requirement in DMARC.

In terms of what is better for forwarding: it depends. Some forwarders will rewrite the Return-Path (a.k.a. snmtp.mailfrom), which will fix SPF, but break DMARC alignment. Others will, for example, add a piece of text to the subject field which in turn will break the DKIM signature (if the subject was one of the signed headers). It's not so clear-cut. Authenticated Received Chain (ARC) is a protocol that is helpful in this respect, be it still in development.

My advice would be to use SPF with a soft fail mechanism and use DMARC with a reject policy. Also, use SPF and DKIM complimentary for optimal results.

My opinion: You're publishing a clear directive in DMARC. It is up to the recipient to implement corresponding checks. In fact, a receiving server can be configured to completely ignore both SPF (hard) fail and DMARC reject policies. That's not the senders responsibility, but the recipients prerogative.