What's the difference between -all and ~all in SPF?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
Both -all and ~all go at the end of an SPF record and apply to any message from an IP address that didn't match your authorized senders. The difference is what you're telling the receiving server to do about it.
-all (hard fail) means: if the sending IP isn't in my SPF record, this message isn't from me. Reject it, or treat it as a strong spam signal. It's an explicit statement that your domain shouldn't be sending from anything other than the servers you've listed.
~all (softfail) means: if the sending IP isn't in my SPF record, be suspicious, but don't reject it outright. Receiving servers typically accept softfail messages but may route them to spam. It's a softer signal.
Which should you use?
If you have DMARC configured with a reject or quarantine policy, use -all. DMARC is the enforcement layer anyway, so you want your SPF to be consistent: clear about what you authorize, strict about what you don't.
If you don't have DMARC set up yet, ~all is safer while you're still getting your authentication sorted. A hard fail on a misconfigured record (say, you forgot to add your ESP's include:) will silently kill legitimate email. Softfail gives you room to find and fix gaps without taking your sending offline.
Now one thing that often surprises people: -all doesn't on its own prevent your domain from being spoofed. Without DMARC, a spoofer can still use your visible "From" while passing SPF on a different domain. The real spoofing protection comes from DMARC alignment, not from the SPF qualifier alone.
And If you're not sure whether your record has any gaps, our free SPF checker will validate the syntax and show you what's resolving.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.