What's the difference between -all and ~all in SPF?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

Both -all and ~all go at the end of an SPF record and apply to any message from an IP address that didn't match your authorized senders. The difference is what you're telling the receiving server to do about it.

-all (hard fail) means: if the sending IP isn't in my SPF record, this message isn't from me. Reject it, or treat it as a strong spam signal. It's an explicit statement that your domain shouldn't be sending from anything other than the servers you've listed.

~all (softfail) means: if the sending IP isn't in my SPF record, be suspicious, but don't reject it outright. Receiving servers typically accept softfail messages but may route them to spam. It's a softer signal.

Which should you use?

If you have DMARC configured with a reject or quarantine policy, use -all. DMARC is the enforcement layer anyway, so you want your SPF to be consistent: clear about what you authorize, strict about what you don't.

If you don't have DMARC set up yet, ~all is safer while you're still getting your authentication sorted. A hard fail on a misconfigured record (say, you forgot to add your ESP's include:) will silently kill legitimate email. Softfail gives you room to find and fix gaps without taking your sending offline.

Now one thing that often surprises people: -all doesn't on its own prevent your domain from being spoofed. Without DMARC, a spoofer can still use your visible "From" while passing SPF on a different domain. The real spoofing protection comes from DMARC alignment, not from the SPF qualifier alone.

And If you're not sure whether your record has any gaps, our free SPF checker will validate the syntax and show you what's resolving.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Get advice on the right SPF qualifier for your specific setup.

I read this on the Email Almanac about the difference between -all and ~all in SPF. My SPF record currently ends with ~all / -all. I have / don't have DMARC set up. I'm [setting up authentication for the first time / reviewing an existing setup / seeing SPF failures I don't understand]. What I want to understand: whether I should switch from ~all to -all (or vice versa) and what the right call is given my current authentication setup.

Edit the yellow boxes, then send to the AI of your choice.