How do “softfail (~all)” vs “fail (-all)” vs “neutral (?all)” behave?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

Every SPF record ends with an "all" mechanism that tells receiving servers what to do when a sending server isn't listed. The qualifier in front of "all" changes how strict that instruction is. Same mechanism, very different real-world results.

But Here's what each one actually does in the wild.

-all (fail, "hard fail")

You're telling receiving servers: "If the sender isn't on my list, treat this as unauthorized." In practice, most mailbox providers treat -all as a strong signal. Gmail, Outlook, and Yahoo will usually send the message to spam or reject it outright when SPF fails with -all, especially if DMARC is set to quarantine or reject.

Use -all when you're confident you've listed every legitimate sending source for your domain. It's the default recommendation for production domains.

~all (softfail)

The qualifier says: "If the sender isn't on my list, treat it as suspicious but don't reject outright." Receiving servers usually accept the message and mark it internally as softfail. Gmail tends to deliver it with a warning or downweight engagement. Some providers drop it into spam. Some don't.

Softfail is a safety net while you're testing. If you're still discovering which services send mail for your domain, ~all keeps legitimate mail flowing while you audit. Once you're sure, tighten to -all.

?all (neutral)

Still this one says: "I have no opinion. Decide for yourself." Most receiving servers treat ?all as if SPF wasn't even published. It contributes almost nothing to authentication. DMARC won't align against it, and reputation scoring mostly ignores it.

There's almost no reason to run ?all in production. If you see it on a domain you own, someone set it up cautiously and forgot to finish the job.

Quick gut check

  • Production domain with known senders: -all
  • Still auditing third-party senders: ~all
  • ?all: almost never

You can confirm what your domain is publishing right now with our SPF checker. If you're tightening from softfail to fail and want a second pair of eyes before you flip it, the SOS hotline is free.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Pick the Right SPF Qualifier for Me

I just read the Email Almanac entry on SPF qualifiers (-all, ~all, ?all). Help me decide which one my domain should publish and whether it's safe to tighten from where I am today. Walk me through: 1. What my current "all" qualifier is 2. Whether I've inventoried every legitimate sender for my domain 3. What downstream impact tightening might have on any services I use 4. Whether my DMARC policy is ready for a stricter SPF --- My details (fill in what applies): - Sending domain: your domain - Current SPF "all" qualifier (if you know): -all / ~all / ?all / unsure - Known sending sources: ESPs, CRMs, helpdesks, Google Workspace, Microsoft 365, etc. - Current DMARC policy: none / p=none / p=quarantine / p=reject / unsure - Any third-party services I'm unsure about: list them

Edit the yellow boxes, then send to the AI of your choice.