It's a common point of confusion when setting up email authentication. The short answer is no, the all mechanism in an SPF record doesn't automatically mean a hard fail. The action taken depends entirely on the qualifier that comes just before it. The all part is simply a catch-all that applies to any sending IP address not explicitly listed in your record.
Think of the qualifier as an instruction to the receiving email server. It tells the server how strictly it should treat emails from sources not on your authorized list. Let's break down what each qualifier does.
Understanding SPF qualifiers
An SPF record is made up of mechanisms, which define who is allowed to send email on your behalf, and qualifiers, which specify what to do if a mechanism matches. The ‘all’ mechanism is special because it always matches. It's used at the end of the record to provide a default policy for all senders not previously matched by other mechanisms. There are four possible qualifiers:
- + (Pass): Any server matching this mechanism is explicitly allowed. This is the default for other mechanisms like a or mx, so you rarely see it written.
- - (Fail): This is a hard fail. It tells the receiving server that the email is not authorized and should be rejected.
- ~ (Soft Fail): This is a soft fail. It suggests that the email might be illegitimate. The receiving server is advised to accept the email but mark it as suspicious, often placing it in the spam folder.
- ? (Neutral): This means the domain owner makes no assertion about the validity of the sending IP. It's treated as if there were no SPF record at all.
The hard fail: -all
When you use -all in your SPF record, you are implementing what's known as a "hard fail". This is a very explicit instruction to receiving mail servers.
This tells the world that any email claiming to be from your domain, but sent from an IP address not listed in your record, is fraudulent and should be rejected outright. Using -all provides the strongest protection against spoofing and is the recommended setting for domains that are confident in their SPF record's completeness.
The soft fail: ~all
On the other hand, using ~all creates a "soft fail". This is a more lenient policy.
Instead of demanding rejection, a soft fail signals that the email is suspicious and should likely be delivered to the recipient's spam folder. It's often used when you are first setting up an SPF record or are unsure if you have listed all your legitimate sending sources. It allows you to test your configuration without the risk of legitimate emails being blocked.
How DMARC influences the outcome
It's important to remember that SPF doesn't work in a vacuum. A DMARC record tells receiving servers how to handle emails that fail SPF and DKIM checks. Even if you use a soft fail (~all), your DMARC policy can escalate the action. If your DMARC policy is set to quarantine (p=quarantine) or reject (p=reject), a soft fail in SPF will still result in a DMARC fail, and the email will be quarantined or rejected accordingly. The final decision is always up to the receiving server, but a DMARC record provides a much stronger signal for what you, the domain owner, want to happen.
Which one should you use?
The choice between ~all and -all depends on your confidence in your SPF setup. A common best practice, as noted in a Spiceworks community discussion, is to start with a soft fail (~all) to monitor the results (ideally with DMARC reporting). Once you've confirmed that all your legitimate mail streams are passing SPF checks, you should switch to a hard fail (-all) for maximum security.
In summary, while the all mechanism is a crucial part of any SPF record, it doesn't have a single, fixed meaning. It's the qualifier—specifically the hyphen in -all—that signals a hard fail and instructs servers to reject unauthorized mail.
