Summary
SPF 'all' qualifiers (+all, -all, ~all, ?all) dictate how receiving mail servers handle emails failing SPF authentication. +all allows all mail (disabling SPF), and is generally discouraged. -all is a hard fail, allowing only explicitly authorized sources. ~all is a soft fail, generally a pass with reporting. ?all is neutral (no assertion). Documentation clarifies that SPF qualifiers modify the mechanism's meaning: pass, fail, softfail, or neutral. Best practices advise publishing an SPF record upon domain registration, including all sending sources, and monitoring DMARC reports. ~all is often preferred initially, with -all possible later if confident in SPF record accuracy. SPF records, as highlighted, verify authorized IP addresses for a domain, aiding in email deliverability and security. Using `?all` signifies uncertainty and should be avoided in production.
Key findings
- +all disables SPF and poses a risk: +all effectively disables SPF, making it dangerous to use. Some mail providers may mark these as spam.
- ~all is the most recommended starting point: ~all is the most commonly recommended starting point, providing better compatibility.
- -all enforces strict security: -all provides strict security, which can be beneficial, but requires a comprehensive SPF record.
- ?all is not for live records: ?all indicates uncertainty and isn't appropriate for live SPF records; mostly for testing.
- SPF helps prevent spoofing and spam: SPF helps prevent spammers from forging emails from your domain.
- SPF record creation: Create the SPF record as soon as you register your domain.
- Monitoring DMARC reports: Monitor DMARC reports for issues with email delivery and to help you fine tune the SPF record.
Key considerations
- Inclusion of all sending sources: Ensure all legitimate sending sources are included in the SPF record.
- Transitioning to -all: Transition to -all carefully, after confirming that the SPF record is correct.
- Regular SPF testing: Regularly test your SPF record for issues.
- SPF record accuracy: Maintaining an accurate and up-to-date SPF record is essential.
What email marketers say
14 marketer opinions
SPF all qualifiers (+all, -all, ~all, ?all) dictate how receiving mail servers handle emails that fail SPF authentication. +all allows all mail, effectively disabling SPF. -all is a hard fail, allowing only explicitly authorized sources. ~all is a soft fail, treated as a pass by many systems but allows for reporting. ?all is neutral, offering no assertion. Best practices generally advise against +all, recommend starting with ~all for monitoring, and potentially moving to -all when confident in SPF record accuracy. A well-configured SPF, aligned with DMARC, enhances email security and deliverability.
Key opinions
- +all is dangerous: Using +all effectively disables SPF, as it allows any server to send emails on behalf of your domain.
- ~all is a good starting point: The recommended best practice is to start with ~all for initial configuration and monitoring.
- -all is stricter: -all provides stricter enforcement but requires accurate SPF records to avoid unintentionally blocking legitimate email.
- SPF impacts deliverability: A well-configured SPF record improves email deliverability and helps prevent spam.
- Mailbox providers treat SPF records differently: Some mailbox providers evaluate overly broad SPF records with +all differently, marking them as spam.
- SPF aligns with DMARC: Correctly configured SPF aligns with DMARC policies, enhancing email security and deliverability.
- SPF is for authorization: SPF verifies authorized IP addresses to prevent unauthorized sources from sending emails on behalf of the domain.
Key considerations
- Record accuracy: Ensure your SPF record accurately includes all legitimate sending sources to avoid deliverability issues with stricter policies.
- Monitoring: Regularly monitor DMARC reports to identify any needed adjustments to your SPF record.
- Testing: Use testing and monitoring to transition from ~all to -all safely.
- DMARC alignment: Aligning SPF with DMARC is crucial for robust email security.
- Provider specific handling: Be aware that different mailbox providers may interpret SPF records differently.
Marketer view
Email marketer from easydmarc.com shares that SPF is used to verify the authorized IP addresses that are permitted to send emails on behalf of your domain. The SPF record is published in your domain’s DNS zone.
29 Jun 2021 - easydmarc.com
Marketer view
Marketer from Email Geeks shares that from the 2017 MAAWG "90% of emails with SPF +all is marked as spam at Yandex"
12 Jun 2023 - Email Geeks
What the experts say
9 expert opinions
SPF 'all' qualifiers determine how mail servers handle SPF authentication failures. +all allows any server to send mail (effectively disabling SPF). ?all indicates uncertainty and is not recommended for production. ~all (softfail) is generally preferred for its compatibility and reduced risk of mail being dropped. -all (hard fail) provides stricter enforcement. Experts recommend publishing an SPF record early, including all sending sources, and monitoring DMARC reports to refine the configuration. +all is only suitable for testing.
Key opinions
- +all disables SPF: +all allows any server to send mail and negates SPF protection.
- ?all is not for production: ?all signifies a lack of understanding and should not be used in live SPF records.
- ~all is recommended: ~all offers good compatibility with lower risks, making it a common recommendation.
- -all offers stricter enforcement: -all enforces SPF strictly, potentially dropping mail if not properly configured.
- Early SPF records are beneficial: Publishing an SPF record as soon as a domain is registered is encouraged.
Key considerations
- Source inclusion: Ensure all legitimate sending sources are included in your SPF record.
- DMARC monitoring: Regular DMARC monitoring helps identify necessary SPF adjustments.
- Testing SPF changes: Test SPF changes carefully, and monitor the impact using DMARC reports
- Record Accuracy: Ensure that the SPF record is as accurate as possible.
Expert view
Expert from Word to the Wise responds to a question about testing SPF record changes. They state that if you aren't already using an SPF record, then make a guess and publish an SPF record, then pay attention to your DMARC reports for a few weeks to see what kind of changes are needed.
14 Jul 2024 - Word to the Wise
Expert view
Expert from Email Geeks shares that `?` would be used in testing your SPF record, doesn't really do much.
1 Nov 2022 - Email Geeks
What the documentation says
4 technical articles
SPF qualifiers modify the meaning of mechanisms in an SPF record. '+' signifies 'pass,' allowing all mail (though this is generally discouraged for security reasons). '-' denotes 'fail,' indicating that only explicitly authorized sources should send email. '~' represents 'softfail,' typically treated as a pass but allowing for reporting. '?' implies 'neutral,' conveying no assertion about authorization. If no qualifier is specified, '+' is assumed. SPF records list authorized IP addresses for a domain, enabling email servers to verify the legitimacy of incoming messages.
Key findings
- SPF Qualifiers: SPF qualifiers are '+', '-', '~', and '?', which represent pass, fail, softfail, and neutral, respectively.
- +all is discouraged: +all is generally incorrect and weakens SPF security because it explicitly allows all hosts to send mail.
- -all is strict: -all means only explicitly authorized sources should send email.
- ~all is a softfail: ~all is a softfail, often treated as a pass.
- ?all is neutral: ?all indicates no assertion about authorization.
- SPF records list authorized IP addresses: SPF records list authorized IP addresses for a domain.
Key considerations
- Security implications: Using +all weakens email security, so it's generally not recommended.
- Choosing the right qualifier: Selecting the appropriate qualifier depends on the desired level of enforcement and confidence in the accuracy of the SPF record.
- Maintaining an accurate SPF record: Keep the SPF record up-to-date with all authorized sending sources.
Technical article
Documentation from authsmtp.com explains +all (PASS) which allows all mail, -all (FAIL) which only allows mail that matches one of the parameters, ~all (SoftFail) which allows mail whether or not it matches the parameters, and ?all (Neutral) which gives no policy statement.
20 Jun 2021 - authsmtp.com
Technical article
Documentation from dmarcian.com explains +all as explicitly allowing all hosts to send mail, which is usually incorrect and weakens SPF's security. -all means that only explicitly authorized sources should send email, which is stricter. ~all is a softfail, generally treated as a pass. ?all is neutral, indicating no assertion about whether the host is authorized.
4 May 2023 - dmarcian.com
Can a sender modify SPF records to alter SPF checking behavior?
Do I need to include Mailchimp's SPF record in my domain's SPF if Mailchimp handles the bounce address?
Do SPF and DKIM records need to be aligned for all email service providers?
How can I improve SPF alignment and email deliverability when using Hubspot?
How complex is the SPF spec for building an SPF checking library?
How do I properly set up SPF and DKIM records for email marketing, including handling multiple SPF records, IP ranges, bounce capturing, and Google Postmaster Tools verification?
