Summary
Most email marketers, experts, and some documentation sources recommend using softfail (~all) with DMARC to avoid deliverability issues caused by hardfail (-all). Hardfail can lead to legitimate emails being rejected, especially when forwarding is involved or when some mail providers perform early SPF checks. Softfail allows DMARC to make the final decision. However, Microsoft documentation suggests using hardfail and considers softfail not to be a best practice, creating conflicting advice.
Key findings
- Softfail Preference: A majority of sources recommend softfail (~all) with DMARC.
- Hardfail Issues: Hardfail (-all) can cause legitimate emails to be rejected due to forwarding and early SPF checks.
- DMARC's Role: Softfail allows DMARC to decide how to handle emails, improving deliverability.
- Microsoft's Stance: Microsoft recommends using hardfail and considers softfail not to be a best practice, conflicting with other recommendations.
- SPF vs DMARC: SPF fail results are not equivalent to DMARC fail results; therefore, using softfail allows DMARC to manage emails appropriately.
- Obsolete Hardfail: Multiple experts state that SPF `-all` is obsolete with DMARC.
Key considerations
- Forwarding: Consider how forwarding affects SPF checks, as hardfail can reject forwarded emails.
- Provider Behavior: Be aware of mail providers that reject emails based on SPF hardfail before DMARC evaluation.
- Conflicting Advice: Conflicting advice exists, requiring careful consideration of domain-specific needs.
- Risk Tolerance: Evaluate your risk tolerance for potentially rejecting legitimate emails due to hardfail.
- DMARC Policy Alignment: Ensure your choice aligns with your overall DMARC policy.
What email marketers say
12 marketer opinions
The consensus among email marketers and experts is that softfail (~all) is generally preferred over hardfail (-all) when using SPF with DMARC. Hardfail can cause legitimate emails to be rejected, especially due to forwarding issues or early SPF failures by some providers before DMARC evaluation. While hardfail is stricter, it can lead to unintended deliverability problems. Softfail allows DMARC to make the final decision, providing a safer approach to email authentication. However, Microsoft documentation recommends using hardfail.
Key opinions
- Softfail Preference: Most sources recommend using softfail (~all) with DMARC to avoid rejecting legitimate emails.
- Hardfail Issues: Hardfail (-all) can cause deliverability problems due to forwarding and early SPF checks.
- DMARC's Role: Softfail allows DMARC to make the final decision on email handling, improving deliverability.
- Hardfail is Obsolete: SPF `-all` is obsolete in the world of DMARC and to use `~all` outside of rare cases.
Key considerations
- Forwarding: Consider how forwarding might affect SPF checks, as hardfail can cause forwarded emails to be rejected.
- Provider Behavior: Be aware that some mail providers might reject emails based on SPF hardfail before even checking DMARC.
- Platform Support: Check whether your email marketing platform fully supports SPF and DMARC configurations.
- Microsoft Recommendation: Microsoft recommends using hardfail. Consider your deliverability needs.
Marketer view
Email marketer from Mailhardener responds that using a hardfail (-all) is more strict, and instructs the receiver to reject the email if it fails the SPF check. Softfail (~all) is less strict, and instructs the receiver to accept the email but mark it as suspicious. Softfail is generally preferred in conjunction with DMARC, as it provides the DMARC mechanism the opportunity to make the final decision.
29 Apr 2022 - Mailhardener
Marketer view
Marketer from Email Geeks explains that if you were evaluating only SPF, and DMARC wasn't even a thing, the `-all` would likely be better. But some MBPs will reject as soon as they see a failed `-all` , and never even get to DKIM/DMARC, but some of those providers now are taking effort to stop acting in such a way.
27 Nov 2021 - Email Geeks
What the experts say
2 expert opinions
Experts from both Email Geeks and Word to the Wise agree that using `-all` (hardfail) in SPF records is outdated in environments where DMARC is implemented. They recommend using `~all` (softfail) instead.
Key opinions
- Hardfail Obsolete: The consensus is that hardfail (`-all`) is no longer the recommended practice when DMARC is in use.
- Softfail Recommendation: Both sources suggest using softfail (`~all`) as the appropriate setting for SPF records with DMARC.
Key considerations
- DMARC Reliance: The advice is given in the context of using DMARC, which handles policy enforcement based on SPF and DKIM results.
- Rare Exceptions: The recommendation to use softfail includes the caveat 'outside of rare cases,' implying there might be specific scenarios where hardfail could still be considered.
Expert view
Expert from Word to the Wise responds that SPF `-all` is obsolete in the world of DMARC and to use `~all` outside of rare cases.
16 Dec 2023 - Word to the Wise
Expert view
Expert from Email Geeks states that `-all` is obsolete in the world of DMARC and to use `~all` outside of rare cases.
20 Apr 2022 - Email Geeks
What the documentation says
4 technical articles
The documentation sources provide mixed guidance on using SPF hardfail or softfail with DMARC. DMARC.org recommends using `?all` or `~all` because SPF fail results are not equivalent to DMARC fail results. RFC7208 clarifies the technical difference between hardfail and softfail, where hardfail means rejection and softfail means marking as suspicious for DMARC's consideration. AuthSMTP recommends softfail to avoid incorrectly flagging legitimate emails. However, Microsoft suggests using hardfail and that softfail is not a best practice, creating conflicting advice among documentation sources.
Key findings
- SPF vs DMARC Fails: DMARC.org highlights that SPF 'fail' results should not be treated the same as DMARC 'fail' results.
- Hardfail Definition: RFC7208 states that hardfail (-all) instructs receiving servers to reject emails failing the SPF check.
- Softfail Definition: RFC7208 states that softfail (~all) instructs receiving servers to accept emails but mark them as suspicious, allowing DMARC to decide.
- AuthSMTP Recommendation: AuthSMTP recommends using softfail to prevent legitimate emails from being incorrectly affected by SPF validation errors.
- Microsoft Recommendation: Microsoft advises using hardfail and considers softfail not to be a best practice.
Key considerations
- Conflicting Guidance: There is conflicting advice, with some sources recommending softfail for better compatibility and others suggesting hardfail for stricter security.
- DMARC Policy: The choice between hardfail and softfail depends on the desired DMARC policy and how aggressively you want to filter potentially unauthenticated emails.
- False Positives: Using hardfail increases the risk of false positives, where legitimate emails are incorrectly rejected.
- Specific Needs: The best practice depends on specific domain and sending infrastructure configurations. Evaluate send volume and how many legitimate mails are potentially being flagged and the risk tolerance regarding the rejection of legitimate mails.
Technical article
Documentation from AuthSMTP explains that 'Soft Fail' is generally recommended rather than the more aggressive 'Fail' to avoid genuine mail being affected by SPF validation errors. 'Soft Fail' instructs receiving servers to accept the email but mark it as possibly originating from an unauthorized source.
18 Sep 2024 - AuthSMTP
Technical article
Documentation from Microsoft responds that a hard fail means that mail servers that receive messages from your domain that fail the SPF check should reject them. It goes onto say that soft fail is not a best practice so should not be used.
30 May 2024 - Microsoft
Are DMARC RUA and RUF tags mandatory for compliance and what are their benefits?
How do DMARC policies and RUA/RUF settings inherit or override each other between a domain and its subdomains?
How do I properly set up SPF and DKIM records for email marketing, including handling multiple SPF records, IP ranges, bounce capturing, and Google Postmaster Tools verification?
How do SPF, DKIM, and DMARC affect email deliverability with Cvent?
How do SPF, DKIM, and DMARC email authentication standards work?
How does DMARC impact email deliverability, and what are the pros and cons of using it?
