SPF ~all vs -all: softfail, hardfail, and which to use

The four SPF qualifiers

Every mechanism in an SPF record carries a qualifier that says what result it produces when it matches (RFC 7208). At the end of the record, the all mechanism matches everything not already listed, so its qualifier is the default verdict for unlisted senders:

-all   fail (hardfail):  unlisted senders are NOT authorized
~all   softfail:         unlisted senders are PROBABLY not authorized
?all   neutral:          no assertion either way
+all   pass:             everyone is authorized  (never use this)

+all authorizes the entire internet to send as you; it defeats SPF entirely, so never publish it.

What receivers actually do

Here is the part that catches people out: SPF does not tell receivers to reject anything. The specification leaves disposition to the receiver (RFC 7208):

• A softfail (~all)is a weak signal. Receivers “SHOULD NOT reject based solely on this” and typically accept the mail but treat it with extra scrutiny, often filing it as spam.
• A hardfail (-all) is a stronger signal. Receivers may reject it, or may just mark it. Rejection is a choice, not a guarantee.

So “-allmeans my mail gets rejected” is not quite true: it means receivers are more likely to reject, but many only quarantine.

Why DMARC changes the calculation

If your domain publishes DMARC, the SPF qualifier matters less than it looks, and ~all is often the safer choice. Here is why:

• DMARC only asks whether SPF produced an aligned pass. A softfail and a hardfail are treated identically by DMARC, both simply mean “SPF did not give an aligned pass.” Your DMARC policy (p=), not the SPF qualifier, decides the disposition.
• Worse, some receivers evaluate SPF before DMARC. With -all, such a receiver can hard-reject a message on SPF alone, before DMARC ever gets to check DKIM. That can kill a legitimate, DKIM-aligned message, like a forwarded one, that DMARC would have passed. The DMARC standard calls this out explicitly (RFC 7489 §10.1).

So on a DMARC-protected sending domain, ~all does not weaken your anti-spoofing posture (DMARC drives that), and it avoids the premature-rejection trap.

So which should you use?

• Use ~all while you are still adding senders, on any domain that relies on forwarding, and generally on a DMARC-protected sending domain. It is the safe default.
• Use -all when your SPF record is complete and stable, you have enumerated every legitimate sender, and you want the strongest standalone-SPF signal for receivers that do not check DMARC. A domain that sends no mail at all should publish v=spf1 -all to hard-lock it.
• The common path: start at ~all, confirm every sender passes in your reports, then tighten to -all if you want to.

One thing ~all vs -all does not fix: if your record exceeds 10 DNS lookups it returns PermError, a different failure entirely, no matter which qualifier you use.

Frequently asked

What is the difference between ~all and -all?

Both say unlisted senders are not authorized, but at different strengths. -all (hardfail) is a firm “not authorized” that receivers may reject; ~all (softfail) is a weaker “probably not authorized” that receivers usually accept but mark as suspicious.

Does -all mean unlisted senders are rejected?

Not guaranteed. SPF leaves the decision to the receiver: a hardfail is more likely to be rejected, but many receivers only quarantine or mark it. The specification does not mandate rejection.

Should I use ~all or -all?

Start with ~all while building your record and on any domain that uses forwarding or relies on DMARC. Move to -all once your SPF record is complete and stable and you want the strongest standalone signal. A non-sending domain should use v=spf1 -all.

Does ~all weaken my protection if I have DMARC?

No. DMARC treats softfail and hardfail the same (neither is an aligned pass), and your DMARC policy decides the outcome. ~all can actually be safer, because -all risks an SPF-first receiver rejecting a DKIM-aligned message before DMARC runs.