The SPF qualifier that denotes a "hard fail" is the hyphen symbol (-). When you see -all at the end of an SPF record, it’s an explicit instruction to receiving mail servers about how to handle emails that fail the check. It's the strongest signal you can send.
This instruction tells the server to reject any email claiming to be from your domain that doesn't originate from an IP address you've approved in your record. As SimpleDMARC notes, this means messages that do not match the SPF record will be rejected. This is a crucial part of preventing email spoofing and protecting your domain's reputation.
The all part of an SPF record is a mechanism that always matches any sender. The character immediately before it is the qualifier, which tells the receiving server how to treat that match. There are four main qualifiers you can use.
Using a hard fail (-all) is the most effective way to use SPF to prevent unauthorized use of your domain. By instructing servers to reject non-compliant mail, you close the door on phishers and spammers trying to impersonate your brand.
This strong policy not only protects others from receiving fraudulent emails but also helps protect your own email deliverability. When mailbox providers see you have a strict policy, it builds trust in your domain. However, it is critical to ensure your SPF record is completely accurate before implementing a hard fail. As Pair Networks explains, an incomplete list of sending IPs could lead to legitimate emails being rejected.
While a hard fail is the end goal for maximum security, a soft fail (~all) has its place. It is primarily a transitional tool. When you first set up SPF or add a new email service, you might not be 100% sure you have listed every single sending IP address.
Using ~all allows you to monitor DMARC reports to see what sources are failing SPF checks without immediately causing those emails to be rejected. It acts as a safety net. As noted by some experts, you can use a soft fail while you identify all authorized servers. Once you are confident that your SPF record is complete, you should switch to a hard fail (-all) for full protection.
To summarize, the SPF qualifier for a hard fail is the dash (-), most commonly seen as -all. It is a powerful signal to receiving mail servers to reject unauthenticated mail, offering the best protection against domain spoofing. While a soft fail (~all) is useful during setup and auditing, the ultimate goal for a secure email posture is to implement a hard fail. Just be sure all your legitimate sending services are correctly listed in your record first.
What is the default value for the DMARC 'p' tag?
What DMARC 'fo' tag value requests failure reports for all failures?
What DMARC tag specifies the reporting format for failure reports?
What does a '~all' mechanism in SPF signify?
What SPF mechanism allows for IP addresses?
Does the 'all' mechanism in SPF always mean a hard fail?