What happens if I use '?all' in my SPF record?

Using '?all' signifies a neutral policy. Emails from unauthorized IP addresses will still be accepted, as no explicit instruction to reject or mark them as suspicious is given. This offers no protection against email spoofing, though it ensures legitimate emails aren't accidentally rejected.

When should I use '-all' instead of '~all'?

You should use '-all' (hard fail) once you are confident that all your legitimate email sending sources are correctly listed in your SPF record, and especially when you have an active DMARC policy set to p=quarantine or p=reject . '~all' (soft fail) is a safer starting point to avoid legitimate emails being rejected during the initial monitoring phase.

Can I use both '-all' and '?all' in the same SPF record?

No, an SPF record should only contain one all mechanism, and it should always be the last mechanism in the record. This is because all acts as a catch-all for any IP addresses not matched by previous mechanisms. Having multiple all mechanisms or placing it before other mechanisms would create an invalid SPF record.

What role does DMARC play with SPF qualifiers?

DMARC leverages SPF (and DKIM) authentication results to provide a comprehensive email security policy. With DMARC, even if SPF has a '~all' or '?all' policy, DMARC can instruct receiving servers to quarantine or reject emails that fail alignment. This allows for a more controlled transition to stronger enforcement. Tools like Suped can help you monitor these results.

What is the difference between '-all' and '?all' in SPF? - SPF - Email authentication - Knowledge base

Illustration of an email envelope with a question mark and a minus sign, symbolizing SPF qualifiers.

Email authentication protocols like SPF (Sender Policy Framework) are essential for ensuring your emails reach their intended recipients and protecting your domain from spoofing. An SPF record published in your DNS specifies which mail servers are authorized to send email on behalf of your domain. At the heart of this record are mechanisms that tell receiving servers how to handle emails coming from unauthorized sources.

Among the most crucial parts of an SPF record are the qualifiers that define the policy for unlisted sending IP addresses. Specifically, '-all' and '?all' are two common, yet fundamentally different, qualifiers that dictate how strictly receiving mail servers should treat emails that fail SPF checks.

Understanding the distinction between these two 'all' mechanisms is vital for anyone managing email deliverability and security. Choosing the wrong one can either leave your domain vulnerable to impersonation or cause legitimate emails to be rejected. Let's delve into what each qualifier means and when to use them.

Understanding SPF qualifiers

Before we dive into '-all' and '?all', it helps to understand the general concept of SPF qualifiers. Every SPF mechanism, including all, can be prefixed by a qualifier that tells the receiving server how to interpret a match or non-match. The all mechanism itself is a catch-all, meaning it applies to any sending IP address not explicitly covered by the preceding mechanisms in the SPF record.

There are four standard SPF qualifiers, each with a distinct meaning. These qualifiers are crucial in defining your domain's email sending policy. For a comprehensive overview of how these work, you can refer to a guide on what SPF all qualifiers mean.

'+': Pass (default). If no qualifier is specified, this is assumed.
'-': Hard Fail. The email should be rejected.
'~': Soft Fail. The email should be accepted but marked as suspicious.
'?': Neutral. No policy is explicitly stated, so the email is accepted.

Example SPF record structureDNS

v=spf1 include:_spf.example.com ip4:192.0.2.1 -all

The hard fail: '-all'

The '-all' mechanism (often pronounced "minus all" or "dash all") is the most stringent SPF qualifier. When a receiving mail server encounters '-all' in your SPF record, it means that any email originating from an IP address not explicitly listed or authorized by other mechanisms in the record should be treated as a hard fail. This typically results in the email being rejected or bounced.

Using '-all' provides the strongest protection against email spoofing and phishing attacks, as it explicitly tells receiving servers to reject unauthorized mail. However, it requires precise configuration. If your SPF record does not accurately list all legitimate sending sources, emails from those unlisted sources will be rejected, even if they are legitimate.

This strong stance makes '-all' the preferred qualifier once your domain has a solid understanding of all its email sending sources. It’s particularly effective when paired with a DMARC policy set to p=reject, as it gives clear instructions to receiving servers. You might want to consider should you be concerned about '-all' if you are unsure.

The neutral qualifier: '?all'

In stark contrast, the '?all' mechanism (question mark all) indicates a neutral policy. This means that if an email comes from an IP address not listed in your SPF record, the receiving server should treat it as if no policy exists. Essentially, it doesn't give any instruction to reject or flag the email as suspicious; it simply says, "I don't have an opinion on this sender."

While '?all' ensures that no legitimate emails will be rejected due to SPF failures, it offers virtually no protection against spoofing. Any attacker can send emails impersonating your domain, and receiving servers configured only with SPF will likely accept them. This lack of enforcement means that your domain remains vulnerable.

For this reason, '?all' is rarely recommended for active sending domains. Its primary use case is typically during initial SPF record setup or for domains that do not send email at all, where it serves as a placeholder or a very relaxed policy. It can also be a starting point when you are beginning your DMARC journey with a p=none policy to gather data without impacting deliverability.

Comparing '-all' and '?all'

The choice between '-all' and '?all' is a trade-off between strict security and maximum deliverability. While '-all' offers robust protection, it carries the risk of legitimate emails being blocked if your SPF record is incomplete. Conversely, '?all' ensures deliverability but sacrifices security, leaving your domain open to abuse. For a deeper look into which is better, explore our article on SPF ~all vs -all.

'-all': Hard fail

Security: Highest level of protection against spoofing and phishing.
Deliverability: Risks legitimate emails being rejected if SPF record is inaccurate.
Use case: Recommended for domains actively protected by DMARC p=reject.

'?all': Neutral

Security: No protection against spoofing. Emails treated as neutral.
Deliverability: All emails will be delivered, regardless of authorization.
Use case: For domains not sending email or during initial DMARC implementation with p=none.

Best practices and DMARC integration

For domains committed to strong email security, the ultimate goal is to transition to '-all' in your SPF record, alongside a robust DMARC policy. DMARC (Domain-based Message Authentication, Reporting, and Conformance) builds upon SPF and DKIM to provide comprehensive protection and reporting. It's the most effective way to protect your domain from impersonation and ensure your emails are delivered correctly.

Illustration of a shield protecting an email, representing strong email security through DMARC.

When implementing DMARC, many organizations start with a p=none policy and an SPF record using '~all' (soft fail). This allows them to monitor email traffic and identify all legitimate sending sources without impacting deliverability. Once all legitimate sources are identified and authorized, they can then safely transition to quarantine or reject with their DMARC policy and set SPF to '-all'. This phased approach minimizes risks and ensures continuous email flow.

For monitoring SPF and DMARC, tools like

Suped provide comprehensive insights. Our platform offers DMARC monitoring with AI-powered recommendations to simplify complex issues. We also offer SPF flattening and real-time alerts to proactively manage your email security. Learning more about SPF qualifiers and their usage is key to maintaining a robust email infrastructure.

Choosing the right qualifier

The choice between '-all' and '?all' in SPF records boils down to your domain's security posture and its stage in email authentication implementation. While '?all' offers no real protection, '-all' provides critical security against spoofing when correctly implemented. Always aim to move towards a more restrictive policy, ideally managed and monitored through DMARC.