The Sender Policy Framework (SPF) qualifier that denotes a neutral result is the question mark (?). When you see ?all in an SPF record, it means the domain owner is making no specific assertion about whether an IP address is authorized to send email on their behalf. It's essentially a statement of neutrality.
SPF itself is an email authentication method designed to prevent email spoofing by allowing domain owners to specify which mail servers are authorized to send email for their domain. Qualifiers are the prefixes applied to SPF mechanisms (like a, mx, or include) that tell receiving mail servers how to treat a message that matches the mechanism.
What an SPF neutral result means
A neutral result is not a pass, fail, or softfail. Instead, it signifies that the domain owner doesn't want to declare whether the sending IP is legitimate or not. The official RFC 7208 for SPF defines it as an explicit statement of non-assertion.
This means that even if an email comes from an IP address not listed in the SPF record, the ?all qualifier instructs the receiving server to treat the result as undetermined. As DuoCircle puts it, this is for when a domain owner doesn't want to assert the validity of a sending IP. Consequently, most receiving systems won't block or mark the email as spam based on the SPF result alone, though they may apply other security checks.
Why would you use the neutral qualifier?
Using a neutral qualifier is generally not recommended for a final, secure configuration, but it can be useful in specific scenarios. For instance, a domain administrator might use ?all during the initial setup or testing phase of their SPF record. This allows them to publish a record without immediately causing legitimate emails to be rejected if the record is incomplete.
However, relying on a neutral policy long-term offers no protection against email spoofing. Since it doesn't instruct receivers to reject unauthorized emails, malicious actors can still abuse your domain without facing an SPF failure. It's a very permissive setting that essentially says, "I have an SPF record, but I'm not confident enough in it to enforce anything."
Comparing neutral with other SPF qualifiers
To fully understand the neutral qualifier, it helps to see it alongside the other options available in SPF. Each one provides a different instruction to the receiving mail server.
- + (Pass): The IP address is authorized to send email for the domain. This is the default qualifier for mechanisms and is often omitted (e.g., a is the same as +a).
- - (Fail): The IP address is explicitly not authorized. A -all mechanism tells receivers to reject any mail that doesn't match other mechanisms in the record. This is a hard fail.
- ~ (SoftFail): The IP address is probably not authorized. A ~all mechanism suggests that non-matching mail should be accepted but marked as suspicious or subjected to further scrutiny. It's a step between Neutral and Fail.
- ? (Neutral): The domain owner makes no assertion about the IP address. As SiteGround's guide points out, it leads to an undetermined result, being neither a pass nor a fail.
Should you use an SPF neutral policy?
While ?all is better than having no SPF record at all, it provides minimal value for email security. It signals to receivers that you are aware of SPF but are not ready to enforce a policy. This can be a useful intermediate step, but it shouldn't be the final goal.
For robust email authentication and to protect your domain's reputation, you should aim to implement a policy of ~all (SoftFail) or, ideally, -all (Fail). Combining a strong SPF policy with DKIM and DMARC provides the best defense against phishing and spoofing attacks that leverage your domain.
