Suped

What SPF qualifier denotes a hard fail?

The SPF qualifier that denotes a "hard fail" is the hyphen symbol (-). When you see -all at the end of an SPF record, it’s an explicit instruction to receiving mail servers about how to handle emails that fail the check. It's the strongest signal you can send.

autospf.com logo
AutoSPF says:
Visit website
HardFail is set by ending your SPF record with -all, which clearly states that only servers that you have explicitly specified are allowed to send emails on behalf of your domain.

This instruction tells the server to reject any email claiming to be from your domain that doesn't originate from an IP address you've approved in your record. As SimpleDMARC notes, this means messages that do not match the SPF record will be rejected. This is a crucial part of preventing email spoofing and protecting your domain's reputation.

Suped DMARC monitor
Free forever, no credit card required
Get started for free
Trusted by teams securing millions of inboxes
Company logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logo

The different SPF qualifiers

The all part of an SPF record is a mechanism that always matches any sender. The character immediately before it is the qualifier, which tells the receiving server how to treat that match. There are four main qualifiers you can use.

  • - Fail (Hard Fail): The sending IP is not authorized. The email should be rejected outright. This is a definitive failure.
  • ~ Soft Fail: The sending IP is likely not authorized. The receiving server should accept the email but may mark it as suspicious or place it in the spam folder.
  • ? Neutral: The SPF record does not explicitly state whether the IP is authorized. The result is treated as if there were no SPF policy.
  • + Pass: The sending IP address is authorized. Emails from this IP will pass the SPF check. This is also the default qualifier if none is specified.
www.techtarget.com logo
Search Security says:
Visit website
The dash ( - ), or hard fail, indicates that matching this mechanism means the email fails authentication. The tilde ( ~ ), or soft fail, indicates that matching this mechanism means the email is a probable failure.

Why should I use a hard fail?

Using a hard fail (-all) is the most effective way to use SPF to prevent unauthorized use of your domain. By instructing servers to reject non-compliant mail, you close the door on phishers and spammers trying to impersonate your brand.

www.skysnag.com logo
Skysnag says:
Visit website
The mail receiver would reject any emails from hosts not mentioned in the SPF record if you decided to use the “hard fail” qualifier. Simply said, any emails sent from hosts that are not in your SPF record will be discarded.

This strong policy not only protects others from receiving fraudulent emails but also helps protect your own email deliverability. When mailbox providers see you have a strict policy, it builds trust in your domain. However, it is critical to ensure your SPF record is completely accurate before implementing a hard fail. As Pair Networks explains, an incomplete list of sending IPs could lead to legitimate emails being rejected.

When to use a soft fail instead

While a hard fail is the end goal for maximum security, a soft fail (~all) has its place. It is primarily a transitional tool. When you first set up SPF or add a new email service, you might not be 100% sure you have listed every single sending IP address.

Using ~all allows you to monitor DMARC reports to see what sources are failing SPF checks without immediately causing those emails to be rejected. It acts as a safety net. As noted by some experts, you can use a soft fail while you identify all authorized servers. Once you are confident that your SPF record is complete, you should switch to a hard fail (-all) for full protection.

Final thoughts

To summarize, the SPF qualifier for a hard fail is the dash (-), most commonly seen as -all. It is a powerful signal to receiving mail servers to reject unauthenticated mail, offering the best protection against domain spoofing. While a soft fail (~all) is useful during setup and auditing, the ultimate goal for a secure email posture is to implement a hard fail. Just be sure all your legitimate sending services are correctly listed in your record first.

Start improving your email deliverability today

Get started