When you're setting up your SPF record, that small character right before the final "all" mechanism might seem insignificant, but it makes a world of difference in your email security. The choice between a dash, a question mark, or even a tilde dictates how recipient mail servers handle emails that don't come from your approved sources. Understanding these qualifiers is fundamental to properly configuring SPF and protecting your domain from spoofing. The "all" mechanism in an SPF record is a catch-all that applies to any sender not explicitly listed. The character preceding it, known as the qualifier, tells receiving servers what to do with messages from those unlisted senders.
What are SPF qualifiers?
An SPF record is made up of mechanisms, which define the approved senders, and qualifiers, which define the policy. There are four primary qualifiers you can use with the "all" mechanism:
- +all (Pass): Any server can send email on your behalf. This essentially disables SPF and should never be used.
- -all (Fail): Emails from unlisted servers should be rejected. This is a strict, hard fail instruction.
- ~all (SoftFail): Emails from unlisted servers are suspect. They should be accepted but marked as spam or suspicious.
- ?all (Neutral): The SPF record makes no statement on the validity of the sender. The receiving server should treat it as if there is no SPF record at all.
Our focus here is on the difference between the 'Fail' (-all) and 'Neutral' (?all) qualifiers, as they represent two very different approaches to email security.
The meaning of '-all' (Fail)
The -all qualifier is an explicit instruction to receiving mail servers. It says, "If an email claiming to be from my domain does not originate from an IP address listed in this SPF record, you should reject it." This is often referred to as a "hard fail".
Using -all provides the strongest protection against domain spoofing. It leaves no room for interpretation. When combined with a DMARC policy, it ensures that fraudulent emails are blocked, protecting your brand's reputation and your recipients' security. As noted by AutoSPF, the -all tag "explicitly instructs recipients' servers to outrightly reject" emails from unauthorized sources.
The meaning of '?all' (Neutral)
The ?all qualifier, on the other hand, provides no policy guidance at all. It effectively tells the receiving server, "I have an SPF record, but I'm not making any assertion about whether this email is legitimate or not." The result of a ?all check is 'Neutral', which is treated by most mail systems as if there were no SPF policy at all.
This makes the ?all qualifier largely useless for security purposes. It might be used during initial testing or migration phases when you're unsure of all your sending IPs, but it should not be the permanent state of your record. Leaving it in place offers no protection against spoofing and can cause issues with DMARC alignment, as a 'Neutral' result will not pass a DMARC check.
Which one should you use?
The choice is clear. For any production environment where email security is a concern, you should always use -all (Fail). This is the only qualifier that actively enforces your SPF policy and instructs mail servers to reject unauthorized mail.
While the ~all (SoftFail) qualifier offers a middle ground, modern email authentication relies on the clear signals provided by a 'Fail' result to work effectively with DMARC. The ?all (Neutral) qualifier offers no protection and should be avoided.
In summary, if you want your SPF record to actually protect your domain, use -all. If you are in a temporary testing phase and want to avoid disrupting mail flow, you might use ?all or ~all, but your goal should always be to move to -all as quickly as possible to enforce your policy and secure your domain.
What does a '~all' mechanism in SPF signify?
Does the 'all' mechanism in SPF always mean a hard fail?
Does SPF allow for CIDR notation in 'ip4' and 'ip6' mechanisms?
Does an SPF record require a final 'all' mechanism?
What is the purpose of the SPF 'a' mechanism?
What is the effect of an SPF record with no 'all' mechanism?
