SPF ~all vs -all: softfail vs hardfail, explained

Every SPF record ends with an all term that answers one question: what should receivers do with mail from a server you didn't list? ~all (softfail) says "treat it with suspicion," -all (hardfail) says "refuse it." The practical difference is smaller than most guides claim — and the right choice depends on whether you have DMARC.

Updated July 13, 2026

What each qualifier means

  • -all (hardfail): mail from unlisted servers should fail SPF outright. Receivers may reject it at the connection.
  • ~all (softfail): mail from unlisted servers is probably not legitimate — accept it but mark it. In practice, a signal into spam filtering.
  • ?all (neutral): no opinion. Provides effectively no protection; don't use it.
  • +all: everything passes — worse than no SPF record at all, and some receivers penalize the domain for it.

The part most guides get wrong

Once DMARC is in play, the difference between ~all and -all mostly disappears. DMARC doesn't distinguish softfail from hardfail — either way SPF didn't pass, and your DMARC policy (p=) decides the message's fate. The all qualifier only really matters for receivers that check SPF without DMARC, a shrinking minority.

There's also a subtle argument for ~all over -all when you do have DMARC: some receivers reject hardfailing mail at SMTP time, before DMARC evaluation — which also happens before DKIM can rescue a legitimately forwarded message. Softfail lets DMARC make the final call with full information.

What to publish

  • No DMARC yet: -all is the stronger signal — but setting up DMARC matters far more than which all-qualifier you pick.
  • DMARC at p=none while you observe: ~all is fine and the safest during sender discovery.
  • DMARC enforced (quarantine/reject): either works; the DMARC policy is doing the blocking. Most large senders publish ~all and let DMARC enforce.

Common questions

Will switching from ~all to -all stop spoofing?+

Not reliably. SPF alone can't stop spoofing of your visible From address — SPF checks the hidden envelope sender, which spoofers control. Only DMARC ties authentication to the From address a human sees. If spoofing is the concern, enforcing DMARC is the fix.

Does ~all hurt my deliverability?+

No. Legitimate mail from servers in your record passes identically either way. The qualifier only affects mail from servers you didn't authorize.

What should the SPF record be for a domain that never sends email?+

v=spf1 -all — nothing is authorized, everything fails. Pair it with a DMARC record at p=reject to lock the domain down completely against spoofing.