SPF ~all softfail: what it means and when to switch to -all

#email #dns #webdev #devops

When a checker flags ~all with a warning, a lot of people assume something is broken. It is not. SPF softfail is a valid and common configuration. The warning is a reminder that a stricter setting exists, not an error that needs immediate attention.

What the all mechanisms mean

~all: softfail. Emails from unlisted senders are flagged as suspicious but still delivered.
-all: hardfail. Emails from unlisted senders should be rejected.
?all: neutral. No guidance given to receivers. Avoid this.
+all: pass everything. Never use this.

When softfail is the right choice

~all is appropriate when:

You are still auditing which services send email on your behalf
You recently added a new sending platform and have not confirmed it is covered in your SPF record yet
You are in the early stages of setting up authentication

Softfail keeps mistakes recoverable. If you miss a sending service, hardfail blocks legitimate email. Softfail lets it through while still flagging that something looks off.

When to switch to -all

Switch to -all when you are confident every legitimate sending source is listed in your SPF record. Before switching:

Audit every service that sends email using your domain (transactional, marketing, support, calendar invites)
Confirm all of them are covered by an include: or ip4: mechanism in your record
Run a check at InboxGreen and confirm SPF passes cleanly

Then change ~all to -all in your existing record:

v=spf1 include:_spf.google.com include:sendgrid.net -all

No other changes needed. Save and wait a few minutes for propagation.

Does it matter if you have DMARC enforcement?

With DMARC at p=quarantine or p=reject, the practical difference between ~all and -all is small. DMARC enforcement handles failures regardless of the SPF all policy. The main reason to switch to -all is to give non-DMARC-aware providers a stronger signal and add a defense-in-depth layer.