The Sender Policy Framework (SPF) qualifier that denotes a neutral result is the question mark (?). When you see ?all in an SPF record, it means the domain owner is making no specific assertion about whether an IP address is authorized to send email on their behalf. It's essentially a statement of neutrality.
SPF itself is an email authentication method designed to prevent email spoofing by allowing domain owners to specify which mail servers are authorized to send email for their domain. Qualifiers are the prefixes applied to SPF mechanisms (like a, mx, or include) that tell receiving mail servers how to treat a message that matches the mechanism.
A neutral result is not a pass, fail, or softfail. Instead, it signifies that the domain owner doesn't want to declare whether the sending IP is legitimate or not. The official RFC 7208 for SPF defines it as an explicit statement of non-assertion.
This means that even if an email comes from an IP address not listed in the SPF record, the ?all qualifier instructs the receiving server to treat the result as undetermined. As DuoCircle puts it, this is for when a domain owner doesn't want to assert the validity of a sending IP. Consequently, most receiving systems won't block or mark the email as spam based on the SPF result alone, though they may apply other security checks.
Using a neutral qualifier is generally not recommended for a final, secure configuration, but it can be useful in specific scenarios. For instance, a domain administrator might use ?all during the initial setup or testing phase of their SPF record. This allows them to publish a record without immediately causing legitimate emails to be rejected if the record is incomplete.
However, relying on a neutral policy long-term offers no protection against email spoofing. Since it doesn't instruct receivers to reject unauthorized emails, malicious actors can still abuse your domain without facing an SPF failure. It's a very permissive setting that essentially says, "I have an SPF record, but I'm not confident enough in it to enforce anything."
To fully understand the neutral qualifier, it helps to see it alongside the other options available in SPF. Each one provides a different instruction to the receiving mail server.
While ?all is better than having no SPF record at all, it provides minimal value for email security. It signals to receivers that you are aware of SPF but are not ready to enforce a policy. This can be a useful intermediate step, but it shouldn't be the final goal.
For robust email authentication and to protect your domain's reputation, you should aim to implement a policy of ~all (SoftFail) or, ideally, -all (Fail). Combining a strong SPF policy with DKIM and DMARC provides the best defense against phishing and spoofing attacks that leverage your domain.