What SPF qualifier indicates a pass result?

When you're setting up email authentication, understanding the syntax of an SPF record is crucial. A key part of that syntax is the qualifier, which tells a receiving mail server what to do when an email's sending IP address matches a mechanism in your SPF record. For a successful authentication check, a specific qualifier is used.

The SPF qualifier that indicates a Pass result is the + (plus) symbol. When a receiving server checks your SPF record and finds that the sending IP address matches a mechanism prefixed with + , it means the email has passed the SPF check. This result signals that the message is from an authorized sender for your domain.

AutoSPF says:

Visit website

This SPF Qualifier indicates that the email has passed the verification check (which means the sender is genuine) and it will land in the inbox.

One of the most important things to know about the Pass qualifier is that it's the default action. If you include a mechanism in your SPF record without any qualifier in front of it, it is implicitly treated as a +Pass. This is a common convention that simplifies SPF records.

DMARCwise says:

Visit website

If no qualifier is specified, a matching mechanism produces an SPF result of PASS . For example include:_spf.google.com is equivalent to +include:_spf.google.

For instance, the following two mechanisms in an SPF record are functionally identical:

• +include:_spf.google.com
• include:_spf.google.com

Both versions will result in a Pass if the email is sent from an IP address authorized by Google's SPF record. Because the plus is implicit, you will often see SPF records written without it for the sake of brevity.

Suped DMARC monitor

Free forever, no credit card required

Get started for free

Trusted by teams securing millions of inboxes

While + means an email is authorized, other qualifiers give different instructions to the receiving server. Understanding the whole set is key to properly configuring your record.

DuoCircle says:

Visit website

They can be prefixed with one of the following four qualifiers. + (Pass) – This qualifier is used when the mechanism results in a hit. It designates that the message should be accepted because it has been verified.

The four main SPF qualifiers are:

• + (Pass): As discussed, this means the IP address is an authorized sender. The email should be accepted.
• - (Fail): This gives an explicit instruction that the IP address is not authorized to send email from the domain. Most SPF records end with -all, which means any sender not previously listed should be rejected.
• ~ (SoftFail): This indicates that the IP address is probably not authorized. The receiving server should accept the message but flag it as suspicious or subject it to further scrutiny. It's generally recommended to use -all instead of ~all for better security.
• ? (Neutral): This means the domain owner makes no assertion about the validity of the IP address. The result is neither a pass nor a fail. This is rarely used in modern SPF configurations.

In summary, the + qualifier is your way of telling the world which servers are allowed to send email on your behalf. Since it's the default, you don't always need to write it out, but its presence, whether explicit or implicit, is what allows your legitimate emails to pass SPF authentication and contributes to a strong email deliverability posture.