Summary
Choosing between SPF soft fail (~all) and hard fail (-all) policies requires careful consideration of deliverability and security trade-offs. Experts and documentation generally advise against hard fails, as they can override DMARC, cause legitimate emails to be rejected before DKIM/DMARC checks, and negatively impact deliverability. Soft fails, while more forgiving, can lead to inconsistent deliverability due to varying interpretations by receiving mail servers. It's widely recommended to use SPF in conjunction with DMARC, starting with a monitoring policy (p=none) to gather data and gradually increase enforcement. Understanding how receivers handle failing emails and ensuring that legitimate sources are included in the SPF record are also crucial.
Key findings
- Hard Fail Risks: Hard fails can override DMARC, cause rejection of legitimate emails, and negatively impact deliverability.
- Soft Fail Flexibility: Soft fails offer flexibility but can lead to inconsistent deliverability and potential spam placement.
- DMARC Importance: DMARC is essential for managing SPF policies, handling negative assertions, and preventing unauthorized bulk emails.
- Receiver Discretion: Receiving mail systems ultimately decide how to handle emails that fail SPF, but best practice is to let DMARC dictate.
- Monitoring Recommended: Starting with a DMARC monitoring policy (p=none) is recommended to gather data and avoid unintended consequences.
Key considerations
- DMARC Policy: Implement a DMARC policy to manage how receivers handle failing mail and prevent spoofing.
- Policy Enforcement: Gradually increase enforcement based on DMARC data to minimize disruptions and false positives.
- Legitimate Sources: Ensure legitimate email sources are included in the SPF record to avoid rejection.
- Email Server Handling: Understand that receiving mail servers can handle soft and hard fails differently.
- Deliverability Impact: Carefully assess the potential impact on deliverability when choosing between soft and hard fails.
What email marketers say
11 marketer opinions
When configuring SPF policies, the choice between soft fail (~all) and hard fail (-all) involves trade-offs between deliverability and security. Hard fails offer more explicit instructions to receiving servers, potentially preventing spoofing and phishing, but risk rejecting legitimate emails from sources not explicitly included in the SPF record. Soft fails are more forgiving, allowing for greater flexibility, but may result in inconsistent deliverability and potential placement in spam folders. It's generally recommended to use DMARC in conjunction with SPF to manage email authentication policies. Starting with a monitoring mode (p=none) and gradually increasing enforcement based on collected data helps prevent unintended consequences.
Key opinions
- Hard Fail Risks: Hard fails can lead to rejection of legitimate emails and parsing issues.
- Soft Fail Flexibility: Soft fails provide flexibility but can result in inconsistent deliverability.
- DMARC Importance: DMARC is crucial for managing SPF policies effectively.
- Monitoring Phase: Starting with DMARC monitoring mode is recommended to assess impact.
- SPF Failure Impact: Both soft and hard SPF failures can negatively affect deliverability.
Key considerations
- Deliverability Impact: Assess the potential impact on deliverability for both hard and soft fails.
- Legitimate Sources: Ensure legitimate email sources are included in the SPF record to avoid rejection.
- DMARC Integration: Implement DMARC to manage SPF policies and monitor authentication results.
- Gradual Enforcement: Gradually increase SPF enforcement based on DMARC data to minimize disruptions.
- Mail Server Behavior: Be aware that receiving mail servers handle soft fails and hard fails differently.
Marketer view
Email marketer from Reddit suggests setting up DMARC in monitoring mode (p=none) first to gather data before implementing a hard fail in SPF, to avoid unintended consequences with legitimate email sources.
5 Jul 2023 - Reddit
Marketer view
Email marketer from GlockApps explains that any SPF failure (soft or hard) can negatively impact deliverability, but hard fails are more likely to result in immediate rejection. Soft fails might land in spam.
10 Jun 2022 - GlockApps
What the experts say
6 expert opinions
Experts generally recommend using a soft fail (~all) over a hard fail (-all) in SPF policies. A hard fail can sometimes override DMARC and lead to legitimate emails being blocked. Soft fails allow receiving mail servers to handle messages as they see fit, aligning with SPF's advisory intent. DMARC is crucial for managing SPF policies and handling negative policy assertions, especially to prevent unauthorized bulk emails. It's important to consider how strictly you want receivers to treat failing mail, with hard fails instructing rejection and soft fails suggesting caution.
Key opinions
- Soft Fail Preference: Experts recommend using soft fail (~all) over hard fail (-all).
- Hard Fail DMARC Override: Hard fail can override DMARC settings, causing unintended blocking.
- DMARC Importance: DMARC is essential for managing SPF and handling negative policy assertions.
- SPF Advisory Nature: SPF was intended to be advisory, giving receivers discretion in handling mail.
- Bulk Email Prevention: DMARC is a partial solution for preventing unauthorized bulk emails.
Key considerations
- DMARC Policy: Implement a DMARC policy to manage how receivers handle failing mail.
- Receiver Handling: Consider how strictly you want receivers to treat mail that fails SPF.
- Policy Enforcement: Ensure proper DMARC setup to prevent blocking legitimate emails.
- SPF Configuration: Configure SPF to work in conjunction with DMARC for optimal email authentication.
- Unintended Consequences: Avoid hard fails that can override DMARC settings.
Expert view
Expert from Email Geeks explains that `-all` can sometimes override DMARC and cause blocking before DKIM is checked. He suggests `~all` is better as it passes the blocking question on to the DMARC policy.
24 Feb 2023 - Email Geeks
Expert view
Expert from Word to the Wise responds that the main consideration is how strictly you want receivers to treat mail that fails SPF. Using a hard fail (-all) tells receivers to reject the message, while a soft fail (~all) is a suggestion to treat the mail with caution. He recommends using DMARC policy to handle this.
15 Nov 2022 - Word to the Wise
What the documentation says
5 technical articles
Official documentation outlines the fundamental differences between soft fail (~all) and hard fail (-all) SPF policies. Soft fail suggests the IP is unauthorized but allows acceptance, while hard fail strongly recommends rejection. While SPF implementation is crucial for preventing spoofing, choosing between soft and hard fail needs careful consideration as the ultimate decision lies with the receiving mail system. Introducing a softfail initially allows for a gradual rollout of SPF policies.
Key findings
- Soft Fail Definition: Soft fail (~all) suggests IP is not authorized, but accepts the message.
- Hard Fail Definition: Hard fail (-all) strongly recommends rejecting the message.
- Implementation Importance: Proper SPF implementation is vital for preventing email spoofing.
- Receiver Discretion: The receiving mail system ultimately decides how to handle failing emails.
- Gradual Rollout: Soft fail allows for a more gradual introduction of SPF policies.
Key considerations
- Enforcement Strength: Decide how strictly you want receivers to treat unauthorized IPs.
- Receiver Interpretation: Understand that receiving mail systems may handle fails differently.
- Policy Introduction: Consider a soft fail approach when initially implementing SPF.
- Deliverability Impact: Assess the potential impact on deliverability based on policy choice.
- Spoofing Prevention: Prioritize SPF setup to mitigate email spoofing risks.
Technical article
Documentation from GitHub explains the practical differences between soft and hard fails are small as it's up to the individual mail system's discretion.
5 May 2023 - GitHub
Technical article
Documentation from ietf.org explains that a hard fail (using -all) indicates the mail server believes the IP address is not authorized, and the message should be rejected. This is a strong assertion.
8 Jun 2023 - ietf.org
