Suped

What SPF mechanism should be used to explicitly deny all other senders?

When setting up your email authentication, you'll eventually come to Sender Policy Framework, or SPF. This protocol is a fundamental part of securing your domain against email spoofing. At its core, SPF allows you to publicly declare which mail servers are authorized to send email on behalf of your domain. A receiving mail server can then check this record to verify that an incoming email is from an authorized source.

www.whatismyip.com logo
WhatIsMyIP.com® says:
Visit website
SPF stands for Sender Policy Framework. It refers to an email authentication method used to detect email spoofing. SPF relies on domain name system (DNS) ...

A crucial part of any SPF record is the final instruction that tells receiving servers what to do with emails from sources not listed in your record. This is where you explicitly deny all other senders. To do this, you must use the "Fail" mechanism, which is written as -all.

The -all tag is an instruction to receiving mail servers. It tells them that any email claiming to be from your domain, but sent from an IP address not authorized in your SPF record, should be rejected. This is often referred to as a "HardFail".

autospf.com logo
AutoSPF says:
Visit website
HardFail is set by ending your SPF record with -all, which clearly states that only servers that you have explicitly specified are allowed to send emails on your behalf.

Using this mechanism is a clear, unambiguous signal that you have a strict policy and that unauthorized mail should not be delivered. This is the strongest signal you can send and is the recommended setting for a secure email configuration.

Suped DMARC monitor
Free forever, no credit card required
Get started for free
Trusted by teams securing millions of inboxes
Company logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logo

Understanding SPF qualifiers

The all mechanism is always used with a qualifier prefix. The hyphen in -all is the qualifier. There are four possible qualifiers:

  • + (Pass): This is the default. It means the sender is authorized. You'll rarely see it written explicitly.
  • - (Fail): This is a hard fail. The email should be rejected. This is the mechanism to explicitly deny unauthorized senders.
  • ~ (SoftFail): This is a soft fail. The email should be accepted but marked as suspicious. It's often used during a testing phase before moving to a stricter policy.
  • ? (Neutral): The domain owner makes no assertion about the IP address. This is treated as if there is no SPF record at all.
community.spiceworks.com logo
Spiceworks Community says:
Visit website
The tilde (~all) is a soft fail from any IP not listed, an explicit deny would be a -all from any IP not listed. Mechanisms can be prefixed...

Why use -all instead of ~all?

While ~all (SoftFail) might seem like a safer option, it provides significantly less protection. A SoftFail suggests that while the message is probably not legitimate, the receiving server should still accept it, perhaps placing it in the spam folder. Attackers can exploit this leniency.

emailauth.io logo
EmailAuth says:
Visit website
The -all mechanism, on the other hand, is a “hard fail” mechanism. This means that email providers will reject any emails that come from IP addresses that are not listed in the SPF record...

Using -all provides a clear directive to reject unauthorized mail. When combined with DMARC, a -all policy helps ensure that only legitimate emails reach the inbox, protecting your brand's reputation and your recipients from phishing attacks.

Example SPF record

A typical SPF record starts with v=spf1, followed by the authorized sending mechanisms (like a, mx, or include), and must end with an all mechanism.

Here is an example that authorizes Google Workspace and ends with an explicit denial for all other senders:

v=spf1 include:_spf.google.com -all

In summary, to explicitly deny all senders not authorized by your SPF record, you should always end your record with the -all mechanism. It's the most effective way to leverage SPF for protecting your domain.

Start improving your email deliverability today

Get started