SPF qualifiers determine what happens when email comes from unlisted senders. ~all (softfail) marks mail as suspicious but delivers it—use during testing. -all (hardfail) tells receivers to reject unauthorized mail—use in production. ?all (neutral) makes no assertion. +all passes everything and should never be used. Most domains should use -all once all senders are configured.
SPF Softfail vs Hardfail vs Neutral: What Each Qualifier Means
SPF Qualifier Basics
Every SPF record ends with an all mechanism that handles senders not explicitly listed. The qualifier before all determines how receivers should treat those unlisted senders:
| Qualifier | Result | Meaning |
|---|---|---|
-all | hardfail | Reject mail from unlisted senders |
~all | softfail | Accept but mark as suspicious |
?all | neutral | No assertion—treat as if no SPF |
+all | pass | Accept from anyone (dangerous) |
Hardfail (-all)
v=spf1 include:_spf.google.com -all
What it tells receivers: "Only the listed senders are authorized. Reject everything else."
How receivers handle it: Unauthorized mail should be rejected or heavily penalized. In practice, most modern receivers look at DMARC policy first, but -all signals you've done your homework.
When to use: Once you've confirmed all legitimate senders are included and tested.
Risks: If you miss a sender, their email gets rejected. There's no "mark suspicious"—it's reject.
Softfail (~all)
v=spf1 include:_spf.google.com ~all
What it tells receivers: "These are my authorized senders, but don't reject others outright—mark them suspicious instead."
How receivers handle it: Unauthorized mail is typically delivered but may be marked as spam or flagged. With DMARC, the DMARC policy often overrides this.
When to use: During initial setup and testing. Gives you time to discover forgotten senders without losing legitimate email.
Risks: Less protection against spoofing. Phishing emails might get through.
Practitioner note: I keep clients on ~all for 2-4 weeks while we audit all their sending services. Once DMARC reports show no legitimate failures, we move to -all. The safety net of softfail has saved countless client relationships.
Neutral (?all)
v=spf1 include:_spf.google.com ?all
What it tells receivers: "I list some senders, but I make no claim about others."
How receivers handle it: Essentially ignores SPF for unlisted senders. Provides zero protection.
When to use: Almost never. Only if you genuinely can't identify all senders and don't want any SPF enforcement.
Risks: Offers no spoofing protection. Anyone can send as your domain without SPF penalty.
Pass (+all) — Never Use This
v=spf1 +all
What it tells receivers: "Anyone can send email as my domain."
How receivers handle it: Passes all SPF checks regardless of sender.
When to use: Never.
Risks: Complete spoofing exposure. This explicitly authorizes the entire internet to send as you.
How DMARC Changes the Equation
With DMARC in place, the final mail disposition depends on the DMARC policy, not just SPF:
| DMARC Policy | SPF Softfail | SPF Hardfail |
|---|---|---|
| p=none | Delivered, possibly flagged | Delivered, possibly flagged |
| p=quarantine | Spam folder (if DKIM also fails) | Spam folder (if DKIM also fails) |
| p=reject | Rejected (if DKIM also fails) | Rejected (if DKIM also fails) |
With DMARC at p=reject, both softfail and hardfail ultimately result in rejection if DKIM doesn't save the message. The difference becomes less significant.
However, -all still matters:
- Signals to receivers you're confident in your SPF configuration
- Provides protection even if DMARC isn't checked (some receivers don't)
- Shows up better in reputation systems
Recommended Progression
Week 1-2: Testing with softfail
v=spf1 include:_spf.google.com include:sendgrid.net ~all
Send test emails from all services. Check headers confirm spf=pass. Monitor for any legitimate mail showing spf=softfail.
Week 3+: Production with hardfail
v=spf1 include:_spf.google.com include:sendgrid.net -all
Once confident all senders are included, switch to hardfail.
Practitioner note: The softfail-to-hardfail transition catches more problems than you'd expect. Last month I helped a client who forgot their scheduling tool sends appointment confirmations. We caught it at ~all instead of losing customer emails at -all.
Checking Your Current Qualifier
dig TXT yourdomain.com +short | grep spf
Look at the end of your SPF record. The qualifier before all is your current setting.
When Softfail Makes Sense Long-Term
Some scenarios warrant staying on ~all:
- Frequent ESP changes — Agencies testing new tools
- Complex forwarding — Mail that gets forwarded through multiple hops
- Incomplete inventory — Can't confirm all services that send email
But ideally, audit your senders and move to -all. The protection is worth the effort.
For the complete SPF setup, see the SPF setup guide. To understand how SPF interacts with DMARC, see SPF alignment in DMARC. For debugging failures, see debugging SPF failures. If you need help auditing your sending services or safely transitioning from softfail to hardfail, schedule a consultation.
Sources
- RFC 7208: Sender Policy Framework (SPF), Section 8.2 - Qualifier Values
- Google: Help prevent email spoofing with SPF
- Microsoft: How Microsoft 365 uses SPF
- dmarcian: SPF Syntax
v1.0 · March 2026
Frequently Asked Questions
What's the difference between ~all and -all in SPF?
~all (softfail) tells receivers 'this probably shouldn't pass but deliver it anyway and mark it suspicious.' -all (hardfail) tells receivers 'reject this outright.' In practice, many receivers treat both similarly due to DMARC, but -all is the stronger signal.
Should I use softfail or hardfail?
Start with ~all (softfail) while setting up. Switch to -all (hardfail) once you've confirmed all legitimate senders are included and tested. -all provides stronger protection against spoofing.
What does ?all mean in SPF?
?all (neutral) means 'I make no assertion about senders not listed.' It's effectively saying 'SPF doesn't apply to unlisted senders.' This provides no protection and shouldn't be used.
Why do some guides recommend ~all over -all?
Historical reasons—before DMARC, hardfail could cause legitimate mail loss from forwarding. With DMARC in place, the DMARC policy controls final disposition, making -all safe for most setups.
How do email providers handle softfail vs hardfail?
Gmail and Microsoft look at SPF alongside DMARC. With DMARC at p=reject, both softfail and hardfail result in rejection if DKIM also fails to align. Without DMARC, hardfail is more likely to trigger rejection than softfail.
Want this handled for you?
Free 30-minute strategy call. Walk away with a plan either way.