Suped

What SPF qualifier allows mail but marks it as suspicious?

The short answer is the ~all qualifier, often called a "SoftFail". When a receiving mail server checks your domain's SPF record and finds that the sending IP is not on the list, the ~all mechanism tells the server to accept the email but mark it as suspicious. This is different from a "HardFail" (-all), which instructs the server to reject the message outright.

Sender Policy Framework (SPF) is a fundamental email authentication protocol. It allows domain owners to publish a list of authorized IP addresses that can send email on their behalf. When an email is received, the recipient's mail server can check this list to verify the sender's authenticity, helping to prevent email spoofing and phishing.

sendmarc.com logo
Sendmarc says:
Visit website
~all: Softfail (the email is accepted but marked as suspicious if it doesn't match any mechanism)
Suped DMARC monitor
Free forever, no credit card required
Get started for free
Trusted by teams securing millions of inboxes
Company logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logo

Understanding SPF qualifiers

An SPF record is made up of mechanisms and qualifiers. The mechanisms define which servers are allowed to send mail, while the qualifiers tell the receiving server what to do if an email comes from a server not on the list. The most important mechanism is the all mechanism, which is always placed at the end of the record and acts as a default catch-all. The character preceding all is the qualifier. Here’s a breakdown:

  • +all (Pass): This qualifier means any sender is authorized. It's an insecure configuration that essentially renders SPF useless and should not be used.
  • -all (Fail or HardFail): This is a strict instruction to reject any email that doesn't match the SPF record. It provides the strongest protection against spoofing once you are confident all legitimate sending sources are listed.
  • ~all (SoftFail): This tells the receiving server to accept the email but mark it as suspicious or place it in the spam folder. It’s a less strict policy, often used when you are not yet certain you’ve included all your sending IPs in the record.
  • ?all (Neutral): This indicates you have no specific policy and are leaving the decision to the receiving server. It offers no protection and is generally not recommended.
www.duocircle.com logo
DuoCircle says:
Visit website
Prefixing the 'all' tag using the '~' (tilde) qualifier, in the form '~all,' allows the incoming mail server to treat the email as suspicious, which results in the email being sent to the spam or junk folder.

When should you use a SoftFail?

The primary use for a SoftFail (~all) is as a transitional step. When you first implement SPF, it can be difficult to identify every single service and server that sends email on your domain's behalf. Using ~all allows you to start the authentication process without the risk of legitimate emails being outright rejected. As stated by GoDMARC, a SoftFail allows the sender to receive feedback on authentication failures, which is invaluable during the setup phase.

The goal is to eventually move to a HardFail (-all) for maximum security. A SoftFail should be seen as a temporary measure while you gather data and refine your SPF record.

How DMARC changes the equation

It's crucial to understand that SPF qualifiers are essentially suggestions to the receiving mail server. The server can choose to follow the suggestion or handle the email differently. This is where DMARC (Domain-based Message Authentication, Reporting, and Conformance) comes in.

octeth.com logo
Octeth says:
Visit website
DMARC is a critical component of email authentication because it gives you more control over your email security and reputation. By setting a DMARC policy, you tell receiving email servers how to handle emails that fail SPF or DKIM checks.

DMARC allows you, the domain owner, to specify exactly what should happen to emails that fail SPF or DKIM checks. A DMARC policy of p=quarantine or p=reject will override the SoftFail suggestion. For example, if your SPF record has ~all but your DMARC policy is set to p=reject, an email that fails the SPF check will be rejected. This makes DMARC an essential part of a complete email authentication strategy, working alongside SPF and DKIM to secure your domain.

Start improving your email deliverability today

Get started