SPF ~all vs -all: softfail vs hardfail, explained
Every SPF record ends with an all term that answers one question: what should receivers do with mail from a server you didn't list? ~all (softfail) says "treat it with suspicion," -all (hardfail) says "refuse it." The practical difference is smaller than most guides claim — and the right choice depends on whether you have DMARC.
Updated July 13, 2026
What each qualifier means
-all(hardfail): mail from unlisted servers should fail SPF outright. Receivers may reject it at the connection.~all(softfail): mail from unlisted servers is probably not legitimate — accept it but mark it. In practice, a signal into spam filtering.?all(neutral): no opinion. Provides effectively no protection; don't use it.+all: everything passes — worse than no SPF record at all, and some receivers penalize the domain for it.
The part most guides get wrong
Once DMARC is in play, the difference between ~all and -all mostly disappears. DMARC doesn't distinguish softfail from hardfail — either way SPF didn't pass, and your DMARC policy (p=) decides the message's fate. The all qualifier only really matters for receivers that check SPF without DMARC, a shrinking minority.
There's also a subtle argument for ~all over -all when you do have DMARC: some receivers reject hardfailing mail at SMTP time, before DMARC evaluation — which also happens before DKIM can rescue a legitimately forwarded message. Softfail lets DMARC make the final call with full information.
What to publish
- No DMARC yet:
-allis the stronger signal — but setting up DMARC matters far more than which all-qualifier you pick. - DMARC at p=none while you observe:
~allis fine and the safest during sender discovery. - DMARC enforced (quarantine/reject): either works; the DMARC policy is doing the blocking. Most large senders publish
~alland let DMARC enforce.