Suped

What is the effect of an SPF record with no 'all' mechanism?

When setting up email authentication, I often see people get tangled up in the details of their SPF records. SPF, or Sender Policy Framework, is a fundamental building block for protecting your domain from spoofing and phishing attacks. It's essentially a public list of the servers you’ve authorized to send email on your behalf. But a common and critical mistake I see is an SPF record that's missing its final, and arguably most important, component: the 'all' mechanism.

Understanding SPF and the 'all' mechanism

An SPF record is a simple line of text in your domain's DNS settings. When an email server receives a message claiming to be from your domain, it looks up this record. The server then checks if the sending IP address is on your authorized list. The 'all' mechanism acts as the final rule in this check, telling the receiving server what to do with emails from sources not on your list.

spotler.com logo
Data Driven Marketing Software | Spotler says:
Visit website
Spotler puts it nicely, stating that the 'all' mechanism "closes off the SPF record. It defines what to do with IP addresses that are not mentioned in the SPF record…". This is the default case for everything that hasn't already matched.

There are a few variations of the 'all' mechanism, each with a different instruction:

  • -all (Fail): This is a hard fail. It tells receiving servers to reject any email that doesn't come from an IP address explicitly listed in your SPF record. It's the most secure option.
  • ~all (Soft Fail): This is a soft fail. It suggests that the email might not be legitimate, but the receiving server should accept it and subject it to extra scrutiny, like marking it as spam.
  • +all (Pass): This is extremely dangerous and should never be used. It essentially authorizes any server on the internet to send email from your domain, completely defeating the purpose of SPF.
  • ?all (Neutral): This means you are taking no position on the validity of the sending source. The email will be accepted.
Suped DMARC monitor
Free forever, no credit card required
Get started for free
Trusted by teams securing millions of inboxes
Company logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logo

What happens when 'all' is missing?

Every SPF record should end with an 'all' mechanism. So, what happens when it doesn't? If an email is sent from a source not listed in your SPF record and there's no 'all' mechanism to provide a final instruction, the check doesn't explicitly pass or fail.

www.pair.com logo
Knowledge Base - Pair Networks says:
Visit website
When a server checks the SPF record, it checks each entry in order. If no part results in a pass or fail, the result will be marked as neutral.

The result is 'Neutral'. This is the same outcome as using the ?all mechanism. In this scenario, you're not asserting whether the email is legitimate or not. The receiving server is left to make its own decision without a clear policy from you. This effectively renders your SPF record incomplete and much less effective.

Why this is a risk for your domain

Leaving out the 'all' mechanism might seem like a small omission, but it has significant consequences for your email security and deliverability. A 'Neutral' result is a weak signal. While it's better than nothing, it doesn't provide the protection that a properly configured SPF record offers.

The biggest issue arises when you consider DMARC. For a DMARC check to pass, SPF must both pass and be aligned (meaning the domain in the 'From' header matches the domain in the return-path). An SPF result of 'Neutral' is not a 'Pass', so it will cause DMARC to fail for that message. This means you lose out on the powerful anti-spoofing and reporting capabilities of DMARC.

Correcting your SPF record

The fix is simple: ensure your SPF record always concludes with an 'all' mechanism. A complete and valid SPF record looks something like this:

v=spf1 include:suped.com -all

For the best protection, I strongly recommend using -all. This provides a clear, unambiguous instruction to receiving mail servers to reject unauthorized mail. While ~all is a valid choice, especially when you are first setting up SPF and are unsure if you've listed all your sending sources, the end goal should always be to move to -all for maximum security. An incomplete SPF record is a job half-done, leaving your domain exposed and undermining your other email authentication efforts.

Start improving your email deliverability today

Get started