Glossary

SPF ~all and -all — Softfail vs Hardfail

The all mechanism at the end of an SPF record specifies what to do with email from servers not listed in the record. ~all (softfail) marks unauthorised senders as suspicious but typically delivers the email. -all (hardfail) marks them as definitely not authorised and receivers should reject the email. +all means everything passes and should never be used.

The Four Options

+all  Pass everything — never use this
~all  Softfail — suspicious, usually delivered
-all  Hardfail — not authorised, should reject
?all  Neutral — no policy, avoid

Which to Use

Start with ~all while setting up. Switch to -all once all legitimate senders are in your SPF record and verified clean.

Also read: SPF record · SPF softfail · Softfail vs hardfail fix guide · SPF neutral (?all)

FAQ

What is ~all in SPF?

Softfail — servers not in your SPF record are marked suspicious but email is usually still delivered. Safe starting point.

What is -all in SPF?

Hardfail — servers not in your SPF record are marked as not authorised. Receivers should reject the email. Use once all senders are confirmed.

Should I use ~all or -all?

Start with ~all. Switch to -all once you've confirmed all your legitimate senders are in the record and passing SPF.

← All glossary terms