SPF Hard Fail Configuration

We are currently in audit mode for SPF hard fails and working to try to contact the silly people who have an SPF record that is nowhere close to being correct. Our email vendor has suggested increasing the SPAM score of emails that “hard fail” SPF rather than rejecting with SPF. Obviously DMARC would reject these IF the sender has a DMARC policy, but so far most of these “hard fails” do not have a DMARC policy.

Curious if others have moved forward with updating their SPF “hard fail” policy to reject emails independently of DMARC?

We have a strict policy where system without a valid SPF and PTR, which are not whitelisted will be rejected. There are some issues with systems like techtarget or cvent which can not be overcome so you will need a feature whitelist but it pays off for security reasons to enforce SPF.

Potentially look to limit this where DKIM/DMARC pass though as you might reject mail that was forwarded by a user and the SPF will likely fail.

Also consider temp failing it or grey list it so they have a chance to see the bounce.

But if the mail fails because of broken SPF and there is no DKIM/DMARC, be sure to include that in the bounce message you send back to the domain owner. This is more efficient and likely easier than reaching out independently to each domain.