Summary
The consensus among experts and documentation sources is that soft fail (`~all`) is generally the safer and more versatile option for SPF implementation. It allows for legitimate emails that may not perfectly align with the SPF record due to forwarding, third-party services, or misconfigurations to still be delivered. Hard fail (`-all`) is suitable only when you are absolutely confident in the accuracy of your SPF record, have a clear understanding of your mail flow, exclusively use direct mail flows, and are willing to risk rejecting legitimate emails. Some sources also suggest that the enforcement of SPF failures by large receivers may not be entirely reliable, adding another layer of complexity to the decision.
Key findings
- Soft Fail Recommendation: Soft fail (`~all`) is generally recommended for most use cases due to its flexibility.
- Hard Fail Risk: Hard fail can cause legitimate emails to be rejected, especially those that are forwarded or sent through third-party services.
- Confidence in SPF Record: Hard fail should only be used when completely confident in the accuracy and completeness of the SPF record.
- Direct Mail Flows: Hard fail is more appropriate for direct mail flows where there are no intermediate hops.
- Potential Rejection: Hard fail instructs receiving servers to reject emails that fail SPF, while soft fail marks them as suspicious.
- Universal Support: Soft fail is the most universally supported and good choice for most use cases.
- Enforcement Reliability: The actual blocking of SPF failures by large receivers may be unreliable.
Key considerations
- Forwarding: Consider whether your emails are likely to be forwarded, as hard fail can cause issues with forwarded messages.
- Third-Party Services: If you use third-party services to send emails, soft fail is the safer option.
- Mail Flow: Assess your mail flow and tolerance for false positives before considering hard fail.
- Authentication Knowledge: Ensure a solid understanding of SPF and email authentication before implementing hard fail.
- Risk Tolerance: Determine your tolerance for legitimate emails being rejected due to SPF failures.
- Monitoring: Start with soft fail to monitor the impact of SPF on your email traffic.
What email marketers say
9 marketer opinions
The choice between SPF hard fail (`-all`) and soft fail (`~all`) depends on the sender's confidence in their SPF record accuracy and their tolerance for potential delivery issues. Soft fail is generally recommended for broader compatibility and to avoid rejecting legitimate emails due to forwarding or other exceptions. Hard fail is suitable for senders who are certain about their sending sources and want strict enforcement, understanding that this may lead to some legitimate emails being blocked.
Key opinions
- Hard Fail Risk: SPF hard fail can cause legitimate emails to be rejected early in the transaction, before DKIM and DMARC are evaluated.
- Direct vs. Indirect: Hard fail is appropriate for direct mail flows (no intermediate hops) or when rejecting forwarded mail is acceptable.
- Soft Fail Safety: Soft fail is generally safer as it accounts for forwarding and is less likely to mark legitimate emails as spam.
- Sender Confidence: Hard fail is recommended only when completely confident in the accuracy and completeness of the SPF record.
- Server Handling: Hard fail instructs receiving servers to reject the email, while soft fail suggests marking it as suspicious.
- Universal Support: Softfail is the most universally supported and is a good choice for almost all use cases.
Key considerations
- Forwarding: Consider whether your emails are likely to be forwarded, as hard fail can cause issues with forwarded messages.
- Sending Sources: Assess whether you are certain about all your sending sources, as uncertainty warrants using soft fail.
- Control Level: Decide how much control you need over email authentication, balancing strict enforcement with potential false positives.
- Tolerance for Rejection: Determine your tolerance for legitimate emails being rejected due to SPF failures.
- Third Party Services: Are you using 3rd party services to send emails on your behalf?
Marketer view
Email marketer from URIports shares that if you receive direct emails only, and are fully aware of who is sending emails on your behalf, use Hard Fail. If you send emails using third-party services, use Soft Fail.
4 Aug 2021 - URIports
Marketer view
Email marketer from Reddit states that softfail is generally safer because it accounts for forwarding. If you use hardfail, forwarded emails are more likely to be marked as spam.
6 May 2022 - Reddit
What the experts say
3 expert opinions
Experts recommend assessing your confidence in your domain's sending practices before choosing between hard fail (`-all`) and soft fail (`~all`). If you're certain that all emails originate from your intended sources, hard fail provides stricter security. However, if you use third-party services or forwarding is common, soft fail is advised to avoid unintended rejections. Furthermore, some experts suggest that the actual enforcement of SPF failures by large receivers can be unreliable.
Key opinions
- Enforcement Reliability: The consistent blocking of SPF failures by large email receivers is uncertain.
- Confidence Level: Hard fail is suitable when confident that only authorized emails originate from your domain.
- Third-Party Services: If using third-party services, soft fail is the safer option.
- Forwarding Impact: Hard fail can cause forwarded emails to fail SPF and be rejected.
Key considerations
- Sending Practices: Evaluate your domain's email sending practices and sources.
- Authentication Knowledge: Ensure a solid understanding of SPF and email authentication before implementing hard fail.
- Potential Rejections: Consider the risk of legitimate emails being rejected due to SPF failures.
Expert view
Expert from Spam Resource explains that if you are confident that the only emails originating from your domain are the ones you intend, use `-all` (hard fail). If you use 3rd party services that send mail, you should use `~all` (soft fail).
11 Jul 2023 - Spam Resource
Expert view
Expert from Word to the Wise responds that if you use a hard fail and a forwarding service forwards mail, the forwarded message will fail SPF and may be rejected. Unless you fully understand SPF and email authentication, stick with soft fail (~all).
16 Sep 2022 - Word to the Wise
What the documentation says
3 technical articles
Official documentation from Google, Microsoft, and DMARC.org generally recommends using softfail (`~all`) as the initial SPF policy. This approach is more forgiving, allowing for legitimate emails that may not perfectly align with the SPF record due to forwarding or other common issues. While hardfail (`-all`) offers stronger enforcement, it should only be considered once you are confident in the accuracy of your SPF record and have assessed your mail flow and tolerance for false positives, as it carries a higher risk of rejecting legitimate emails.
Key findings
- Softfail Recommendation: Softfail (`~all`) is generally recommended for initial SPF implementation.
- Legitimate Email Delivery: Softfail allows for legitimate email that might not perfectly align with the SPF record to still be delivered.
- Hardfail Strictness: Hardfail (`-all`) is stricter and might cause legitimate emails to be rejected.
- Monitoring Period: Start with softfail to monitor the impact of SPF on your email traffic.
- Assessment Required: Assess your mail flow and tolerance for false positives before considering hardfail.
Key considerations
- Forwarding Issues: Softfail is preferred to avoid inadvertently blocking legitimate email due to common issues like forwarding.
- SPF Record Accuracy: Hardfail should only be considered once you are confident that your SPF record is accurate and complete.
- False Positive Risk: Evaluate your tolerance for false positives when making the decision.
Technical article
Documentation from Google Workspace Admin Help explains that using `~all` (softfail) is generally recommended because it allows for legitimate email that might not perfectly align with your SPF record (due to forwarding or other issues) to still be delivered. Hardfail (`-all`) is stricter and might cause legitimate emails to be rejected.
28 Jul 2021 - Google Workspace Admin Help
Technical article
Documentation from DMARC.org shares that while hardfail (`-all`) provides stronger enforcement, softfail (`~all`) is often preferred to avoid inadvertently blocking legitimate email due to common issues like forwarding. They recommend assessing your mail flow and tolerance for false positives when making the decision.
29 Jun 2023 - DMARC.org
Can a sender modify SPF records to alter SPF checking behavior?
How do I properly set up SPF and DKIM records for email marketing, including handling multiple SPF records, IP ranges, bounce capturing, and Google Postmaster Tools verification?
How do SPF, DKIM, and DMARC email authentication standards work?
Should I change SPF from ~all to -all when using DMARC quarantine?
Should I use SPF hardfail or softfail with DMARC?
What are the considerations for using soft fail vs hard fail in SPF policies?
