SPF fix

SPF Softfail (~all) vs Hardfail (-all) — What to Use

Pick ~all while you’re still testing who sends as you — flip -all when you trust the list; softfail tags strangers, hardfail drops them.

Why softfail trips people up

When you’re ready for hardfail

Stay on ~all until DMARC reports show every real sender passing SPF. Then flip -all and watch bounces for a week.

Creep the policy safely

Step 1 Check current SPF ending using DNS Preflight
Step 2 If using +all → immediately change to ~all or -all
Step 3 Enable DMARC rua= reporting to monitor senders
Step 4 After 2-4 weeks of clean reports → change ~all to -all
Step 5 Monitor for 1 week after switching — watch for bounces

Run DNS Preflight to see your SPF ending and lookup tree

Open DNS Preflight →
Related glossary: SPF record · DMARC

FAQ

What is the difference between ~all and -all?

~all = softfail (suspicious). -all = hardfail (should fail). Pick -all only when your SPF list is complete.

Should I use -all for maximum security?

Not yet — -all drops mail from any IP you forgot to list. Bake the list first, then switch.

Does ~all affect DMARC enforcement?

No — p=reject still wins when alignment fails. SPF ending is a separate lever.

What does +all do?

Passes everyone. That’s not security — delete it.

How do I know when it is safe to switch to -all?

After a few weeks of clean DMARC reports: every legit sender shows SPF pass. Then flip and watch for surprise bounces.

← All SPF fix guides

Open DNS Preflight and re-check your zone →