Suped

Does an SPF record require a final 'all' mechanism?

Yes, an SPF record should always include a final all mechanism. While a record might technically be considered syntactically valid without it, its absence makes the policy incomplete and largely ineffective. The all mechanism is the component that tells receiving mail servers how to treat emails from senders that are not explicitly listed in your record.

autospf.com logo
AutoSPF says:
Visit website
The SPF record all tag is the last mechanism of a valid SPF TXT record (a string of TXT or text record) published on your domain's DNS.

Think of it as the default rule or the final instruction in a list of commands. It essentially says, "for any sending server that I haven't mentioned, do this."

Suped DMARC monitor
Free forever, no credit card required
Get started for free
Trusted by teams securing millions of inboxes
Company logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logo

What is the 'all' mechanism?

An SPF record is a list of approved servers and services authorized to send email on behalf of your domain. These are defined using mechanisms like a, mx, include, and ip4. A receiving mail server checks the sending IP address against these mechanisms in order.

www.nslookup.io logo
NsLookup.io says:
Visit website
The SPF record ends with the mechanism all . The all mechanism is used if no other mechanism is a match. The receiving mail server processes...

The all mechanism is a catch-all that must always be placed at the end of the record. If the sending IP address does not match any of the preceding mechanisms, the rule defined by the all mechanism is applied. This is what gives your SPF policy its enforcement power.

Understanding the 'all' qualifiers

The all mechanism is not used alone; it is paired with a qualifier that dictates the policy. There are four possible qualifiers:

  • -all (Fail): This is a hard fail. It provides a strong instruction to receiving servers to reject any email from a sender not listed in your SPF record. This is the recommended setting for a secure and fully enforced policy.
  • ~all (SoftFail): This is a soft fail. It tells the receiving server that the email comes from an unapproved source and is likely spam, but it doesn't strictly command it to be rejected. The receiving server might deliver it to the spam folder or subject it to further scrutiny. This is often used when you are not yet fully confident in your SPF configuration.
  • +all (Pass): This qualifier means that any sender, listed or not, is authorized to send email for your domain. Using +all renders your SPF record useless and can even be harmful as it gives a green light to phishers. It should never be used.
  • ?all (Neutral): This means you are taking no position on whether the sender is legitimate. The result is similar to not having an SPF record at all. It is not recommended for enforcement.
www.duocircle.com logo
DuoCircle says:
Visit website
If the SPF record is set up perfectly correctly, the use of the '-all' tag is acceptable. Any fraudulent email that does not pass SPF will face rejection.

Which qualifier should I use?

For the strongest protection against spoofing, you should aim to use -all (Fail). This clearly tells the world's mail servers to reject unauthorized email claiming to be from you.

However, if you are not 100% sure that you have listed every legitimate sending service, you might start with ~all (SoftFail). This provides some protection while reducing the risk of legitimate emails being rejected due to a configuration error. Once you are confident your record is complete, you should switch to -all.

What happens if I don't include an 'all' mechanism?

If your SPF record does not contain an all mechanism, and an email is received from an IP address not covered by any other mechanism, the default result is Neutral. A Neutral result provides no clear signal to the receiving server, and the email will likely be delivered as if SPF did not exist.

postale.io logo
postale.io says:
Visit website
... SPF record with an a mechanism on the DNS for that server domain). Finally, always use an all mechanism at the end. As qualifier it is...

In short, omitting the all mechanism undermines the entire purpose of SPF. It is a critical component for creating an effective policy that protects your domain from being used in phishing and spoofing attacks. As noted by experts at Post SMTP, you should always include -all or ~all at the end of your record.

Start improving your email deliverability today

Get started