> they've got too many includes in their SPF records, so SPF always fails.
Any domain can toss "v=spf1 include:UniversalSPF.org -include:x.UniversalSPF.org" in front of their broken SPF record to automagically clean and fix it. This authorizes mail that the domain owner expects to pass, and fails the mail they expect to fail.
Source: One of my startup's covid projects was creating and giving away https://UniversalSPF.org. We'd already been providing SPF Compression commercially since c. 2015.
It's free to use and already trusted by several hundred businesses.
Outsourcing security is a very stupid thing to do. Of course copying a line you don’t understand into your DNS isn't that much better but at least you control it.
In this case configuration is handled by an unknown entity that you no contractual obligations to you. Don’t do it.
Any domain can toss "v=spf1 include:UniversalSPF.org -include:x.UniversalSPF.org" in front of their broken SPF record to automagically clean and fix it. This authorizes mail that the domain owner expects to pass, and fails the mail they expect to fail.
Source: One of my startup's covid projects was creating and giving away https://UniversalSPF.org. We'd already been providing SPF Compression commercially since c. 2015.
It's free to use and already trusted by several hundred businesses.
Here's a good spf evaluator in case you want to see universal spf fix your domain's policy: https://vamsoft.com/support/tools/spf-policy-tester and a more technical deep dive for you other command line geeks: https://fraudmarc.com/introducing-universal-spf/