When setting up your email authentication, you'll eventually come to Sender Policy Framework, or SPF. This protocol is a fundamental part of securing your domain against email spoofing. At its core, SPF allows you to publicly declare which mail servers are authorized to send email on behalf of your domain. A receiving mail server can then check this record to verify that an incoming email is from an authorized source.
A crucial part of any SPF record is the final instruction that tells receiving servers what to do with emails from sources not listed in your record. This is where you explicitly deny all other senders. To do this, you must use the "Fail" mechanism, which is written as -all.
The -all tag is an instruction to receiving mail servers. It tells them that any email claiming to be from your domain, but sent from an IP address not authorized in your SPF record, should be rejected. This is often referred to as a "HardFail".
Using this mechanism is a clear, unambiguous signal that you have a strict policy and that unauthorized mail should not be delivered. This is the strongest signal you can send and is the recommended setting for a secure email configuration.
Understanding SPF qualifiers
The all mechanism is always used with a qualifier prefix. The hyphen in -all is the qualifier. There are four possible qualifiers:
- + (Pass): This is the default. It means the sender is authorized. You'll rarely see it written explicitly.
- - (Fail): This is a hard fail. The email should be rejected. This is the mechanism to explicitly deny unauthorized senders.
- ~ (SoftFail): This is a soft fail. The email should be accepted but marked as suspicious. It's often used during a testing phase before moving to a stricter policy.
- ? (Neutral): The domain owner makes no assertion about the IP address. This is treated as if there is no SPF record at all.
Why use -all instead of ~all?
While ~all (SoftFail) might seem like a safer option, it provides significantly less protection. A SoftFail suggests that while the message is probably not legitimate, the receiving server should still accept it, perhaps placing it in the spam folder. Attackers can exploit this leniency.
Using -all provides a clear directive to reject unauthorized mail. When combined with DMARC, a -all policy helps ensure that only legitimate emails reach the inbox, protecting your brand's reputation and your recipients from phishing attacks.
Example SPF record
A typical SPF record starts with v=spf1, followed by the authorized sending mechanisms (like a, mx, or include), and must end with an all mechanism.
Here is an example that authorizes Google Workspace and ends with an explicit denial for all other senders:
v=spf1 include:_spf.google.com -all
In summary, to explicitly deny all senders not authorized by your SPF record, you should always end your record with the -all mechanism. It's the most effective way to leverage SPF for protecting your domain.
What does a '~all' mechanism in SPF signify?
What SPF mechanism allows for IP addresses?
What SPF mechanism includes the A records of a domain?
What SPF qualifier allows mail but marks it as suspicious?
What SPF mechanism includes the MX records of a domain?
What SPF mechanism includes the IP addresses of the sending domain?
