When you're setting up email authentication, the Sender Policy Framework (SPF) is one of your first and most important lines of defense. An SPF record is a simple text entry in your DNS that lists all the servers authorized to send email on behalf of your domain. At the very end of this record, you'll find a crucial component: the 'all' mechanism, which tells receiving mail servers what to do with emails from sources not on your list. The qualifier you use with 'all' dictates the strictness of your policy. As AutoSPF notes, this tag is the final mechanism of a valid SPF record. The most common question I get is about one specific qualifier: the tilde (~).
The ~all mechanism signifies a 'soft fail'. This is an instruction to receiving email servers that if an email comes from a server not listed in your SPF record, it should be treated with suspicion but not necessarily rejected outright. It's a suggestion rather than a command. The email will fail the SPF check, but the receiving server is advised to accept it, potentially placing it in the spam folder or flagging it as suspicious.
How does '~all' compare to other mechanisms?
To understand the ~all soft fail, it helps to see it alongside the other qualifiers you can use in your SPF record. Each one represents a different level of enforcement:
- +all (Pass): This essentially nullifies your SPF record. It tells receivers to accept email from any server, whether it's on your list or not. This is highly discouraged as it offers no protection against spoofing and is a dangerous misconfiguration.
- -all (Fail): This is a 'hard fail'. It is a direct instruction to reject any email that doesn't originate from an IP address on your list. This is the most secure option and the recommended setting for most domains once you are confident your SPF record is complete.
- ~all (Soft Fail): As we've discussed, this suggests that non-matching emails should be accepted but marked. It's a middle ground between no enforcement and strict rejection.
- ?all (Neutral): This means you have no specific policy. The receiving server is free to decide what to do. It provides no protection and is generally not recommended.
When should you use '~all'?
The ~all mechanism is primarily a transitional tool. When you first set up SPF, you might not be 100% certain that you have identified every single service that sends email for your domain, from your marketing platform to your helpdesk software. Using ~all allows you to monitor for legitimate sources you may have missed without risking the rejection of important emails. It provides some protection while giving you the flexibility to refine your record.
Once you have monitored your email traffic (ideally with DMARC reporting) and are confident that your SPF record is comprehensive, the best practice is to move to the more secure -all policy.
The impact of DMARC on SPF soft fails
It's critical to understand how ~all interacts with DMARC (Domain-based Message Authentication, Reporting, and Conformance). DMARC checks if SPF or DKIM passes and if the domain in the 'From' header aligns with the domain used for SPF or DKIM. For the purposes of DMARC, both an SPF soft fail (~all) and a hard fail (-all) are treated as a 'fail'. If you have a ~all mechanism, you will see an SPF soft fail status, but this will still result in a DMARC failure for that message.
This means that if you have a DMARC policy of p=reject or p=quarantine, an email that soft fails SPF (and also fails DKIM alignment) will be rejected or quarantined, regardless of the 'soft' instruction. The ~all is therefore a legacy instruction from a time before DMARC was common. Today, your DMARC policy is what holds the real power, and the ultimate goal should be implementing a -all SPF record for maximum clarity and security.
What is the default value for the DMARC 'p' tag?
What DMARC 'fo' tag value requests failure reports for all failures?
What is the DMARC 'aspf' tag for?
What does a DMARC 'p=none' policy signify?
What does a DMARC record that is 'p=none' and 'pct=100' mean?
What is the maximum number of DNS lookups allowed in an SPF record?
