What do SPF all qualifiers mean and how should they be used?
Matthew Whittaker
Co-founder & CTO, Suped
Published 4 Jul 2025
Updated 19 Aug 2025
10 min read
Sender Policy Framework (SPF) records are a cornerstone of email authentication, helping to protect your domain from impersonation and ensure your emails reach the inbox. At the heart of a robust SPF record lies the all mechanism, which acts as a catch-all rule for any sender not explicitly listed earlier in the record. However, it's not enough to simply include all at the end of your SPF record. The qualifier attached to all dictates how receiving mail servers should treat emails that fail your SPF check.
Choosing the correct all qualifier is critical for your email deliverability and overall security posture. A misconfigured qualifier can lead to legitimate emails being marked as spam or even rejected, or conversely, allow spammers to easily spoof your domain.
SPF records are TXT records published in your domain's DNS. They list all authorized mail servers allowed to send email on behalf of your domain. When a receiving mail server gets an email, it checks your domain's SPF record to verify if the sending IP address is on the approved list. This is where qualifiers come into play, as they instruct the receiving server on what to do if the sender isn't authorized. RFC 7208, the official SPF specification, details these qualifiers and their intended behaviors.
The all mechanism is always the last entry in an SPF record, serving as a default rule for any IP addresses not covered by preceding mechanisms like ip4, mx, or include. The qualifier determines the disposition of an email that fails the SPF check against this all mechanism. There are four main qualifiers, each with distinct implications.
It is crucial to understand that these qualifiers, especially +all and ?all, can severely compromise your email security if used incorrectly. They impact how effectively your SPF record prevents unauthorized senders from using your domain. A clear understanding of these qualifiers is essential for maintaining strong email deliverability and protecting your brand's reputation.
Pass (+): Indicates that the sending IP is authorized. This is the default if no qualifier is specified for a mechanism.
Fail (-): Indicates that the sending IP is not authorized, and the email should be rejected or blocked.
SoftFail (~): Indicates that the sending IP is not authorized, but the receiving server should still accept the email, though it might mark it as suspicious or spam.
Neutral (?): Indicates that the domain makes no assertion about the sending IP address. It's as if there's no SPF record at all.
The permissive pass qualifier: +all
The +all qualifier (or omitting a qualifier, which defaults to +all) instructs receiving servers to Pass any email from your domain, regardless of whether the sending IP is explicitly listed in your SPF record. In essence, it says, "Anyone can send email on my behalf, and it's legitimate."
While it might seem convenient to allow all senders, using +all completely negates the purpose of SPF. It provides no protection against spoofing or phishing attempts, making your domain an easy target for malicious actors. It's essentially like having no SPF record at all, as it tells recipient servers to accept everything. Some mailbox providers, like Yandex, are known to mark a high percentage of emails with +all as spam.
You should never use +all in a production SPF record, as it completely undermines your email security. Its presence indicates a critical vulnerability that allows anyone to send email appearing to be from your domain, with high chances of landing on a blocklist (or blacklist).
The risks of +all
Using +all in your SPF record is equivalent to not having an SPF record at all. It tells receiving mail servers to accept any email purporting to be from your domain, regardless of its true origin. This leaves your domain wide open to phishing, spam, and brand impersonation, severely damaging your domain reputation. Always aim for a more restrictive qualifier like ~all or -all.
The soft fail qualifier: ~all
The ~all qualifier (soft fail) suggests that emails from unauthorized sources might not be legitimate, but the receiving server should still accept them. It advises the server to treat the email as suspicious but not outright reject it. Instead, the email might be subjected to further scrutiny, like being placed in the spam folder or having its spam score increased.
This qualifier is often recommended for domains that are in the process of implementing or tightening their SPF policy, or for those with complex email sending infrastructures where all legitimate senders may not be easily identified or updated in the SPF record immediately. It allows for a transitional period where you can monitor your DMARC reports to identify legitimate sending sources that might not yet be covered by your SPF record, without risking the rejection of important emails. For more information on this, you can check out our article on should I use ~all or -all.
While ~all is safer than +all, it doesn't provide the strongest protection against email spoofing. For comprehensive security, especially in conjunction with DMARC, moving towards -all is ideal once all legitimate sending sources are identified and authorized. Many organizations start with ~all and transition to -all as their confidence in their SPF record grows.
When to use ~all
Transitioning: Ideal when you're first setting up or adjusting your SPF records and want to avoid disrupting legitimate email flow.
Complex infrastructure: Useful for organizations with many email sending services that are difficult to track or update instantly.
Monitoring: Allows you to gather data from DMARC reports without causing deliverability issues.
Impact on deliverability
Emails from unauthorized sources may still be delivered but are often flagged as suspicious, leading to lower inbox placement or higher spam scores.
When to use -all
Mature SPF: Once all legitimate sending sources are accurately identified and listed, -all provides maximum protection.
Strong anti-spoofing: Actively rejects unauthorized emails, preventing them from reaching recipients' inboxes.
Unauthorized emails are hard-rejected, meaning they won't reach the inbox at all. This provides the highest level of protection but requires careful SPF record management.
The hard fail qualifier: -all
The -all qualifier (hard fail) is the most restrictive and secure option. It explicitly states that only the IP addresses and domains listed in your SPF record are authorized to send email on your behalf. Any email originating from a server not listed will be immediately rejected by the receiving mail server.
This strong enforcement provides the highest level of protection against email spoofing and phishing attacks. When an email fails an SPF check with an -all policy, it is typically dropped or bounced back to the sender, often with an SMTP reply code indicating the failure. This helps maintain your domain's reputation by preventing malicious emails from ever reaching recipients.
However, using -all requires meticulous management of your SPF record. If you forget to include a legitimate sending source, its emails will be rejected. This can lead to serious deliverability issues. It is best used in conjunction with DMARC (Domain-based Message Authentication, Reporting & Conformance) at a quarantine or reject policy, as DMARC provides valuable feedback reports that help you identify and rectify any legitimate sending sources that might be failing SPF.
Many email providers, including Google and Yahoo, strongly encourage the use of -all or ~all in conjunction with DMARC for optimal email security and deliverability. You can learn more about how Google supports SPF.
The ?all qualifier (neutral) signifies that your domain makes no statement about whether a sending IP address is authorized or not. It tells the receiving server that you do not have a policy for the identity in question, and therefore, the result should be treated exactly like a none result, where no SPF record exists. This means your SPF record offers no protection at all.
Because it offers no security benefits, ?all should almost never be used in a production environment. Its primary, very limited, use case is during testing phases where you want to publish an SPF record without it having any enforcement impact on your email flow. For example, you might use it on a non-production domain to see if the record is syntactically correct before deploying a more restrictive policy.
Some might mistakenly believe that ?all is similar to +all, but they are fundamentally different. +all explicitly passes all mail, while ?all makes no judgment at all. Neither should be the final state of a production SPF record if you care about email security and deliverability. Using ?all is an indicator that the SPF record isn't being properly utilized for its security purpose.
Strategic use of qualifiers for email security
Choosing the right SPF all qualifier is a critical decision for your email ecosystem. It directly impacts your domain's susceptibility to spoofing and phishing, as well as the successful delivery of your legitimate emails. While +all and ?all are almost universally discouraged for production use, ~all and -all each offer distinct levels of security and operational flexibility.
For domains just starting with email authentication or those with highly dynamic sending environments, ~all provides a safe initial step. It allows for monitoring and adjustments without risking immediate email rejection. However, the ultimate goal for most organizations should be to transition to -all in conjunction with a robust DMARC policy. This combination offers the strongest defense against unauthorized email activity and ensures that your legitimate emails are delivered reliably while minimizing spam and phishing risks. Regularly review and update your SPF records to maintain optimal security and deliverability.
Views from the trenches
Best practices
Always include the 'v=spf1' tag at the beginning of your SPF record to specify the SPF version.
Use '-all' for maximum protection against spoofing, especially when DMARC is in place.
Monitor your DMARC reports regularly to identify legitimate email sources that might be failing SPF checks.
Consider starting with '~all' if you are unsure of all your sending sources, then transition to '-all'.
Common pitfalls
Using '+all' or '?all' in a production SPF record, which offers no protection.
Exceeding the 10 DNS lookup limit for SPF records, leading to SPF PermError failures.
Failing to update your SPF record when adding new email services, causing legitimate emails to fail.
Having multiple SPF records for a single domain, which is a common misconfiguration.
Expert tips
If using '-all', ensure all legitimate senders are meticulously listed to prevent bounces.
Implement DMARC alongside SPF for comprehensive reporting and policy enforcement.
Regularly audit your SPF record for any unauthorized changes or expired entries.
Educate your team on the importance of SPF and other email authentication protocols.
Expert view
Expert from Email Geeks says that a failure should be treated as a neutral result, meaning '?all' is functionally the same as inactive for most receivers, though the RFC defines it as neutral.
2019-01-02 - Email Geeks
Marketer view
Marketer from Email Geeks says that '?all' should be used only for testing purposes, as it doesn't provide meaningful enforcement.
2019-01-02 - Email Geeks
Key takeaways for SPF qualifier usage
The choice of SPF all qualifier is not a trivial one. It forms the backbone of your domain's SPF security posture and directly influences your email deliverability. Understanding each qualifier's meaning and appropriate usage is paramount to building a resilient email authentication strategy. Always strive for the strongest possible policy (-all) in conjunction with DMARC, while using ~all for transitional periods. Completely avoid +all and ?all in production records to safeguard your domain from abuse and ensure your emails land where they belong: the inbox.
Yandex, are known to mark a high percentage of emails with +all as spam.
Google and 
Yahoo, strongly encourage the use of -all or ~all in conjunction with DMARC for optimal email security and deliverability. You can learn more about how Google supports SPF.
