SPF strict (-all) — hard-fail on unauthorised senders

Your domain's SPF record uses the strict '-all' setting, meaning mail servers are told to outright reject any email that claims to be from your domain but was not sent by an approved server. This is the gold standard for preventing email spoofing — attackers impersonating your domain to send phishing emails to your customers or partners. A strict SPF record makes that much harder to pull off. Keep it up. Pair this with a DMARC record set to p=reject and a DKIM signature for full email authentication coverage. Review your SPF record if you add any new email-sending services (such as a marketing platform or CRM).