Suped

SPF ~all vs -all: Which is better for email deliverability and spoofing protection?

Summary

The choice between SPF ~all (softfail) and -all (hardfail) is a long-standing debate in the email deliverability community. While -all might seem more secure on the surface, its practical utility for preventing spoofing and ensuring deliverability is often outweighed by the risks and complexities it introduces. Modern email authentication relies more heavily on DMARC for robust policy enforcement and brand protection.

Suped DMARC monitor
Free forever, no credit card required
Get started for free
Trusted by teams securing millions of inboxes
Company logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logo

What the email marketers say

Email marketers often weigh the theoretical benefits of strict SPF policies against the very real risks of impacting legitimate email delivery. Their perspectives are primarily shaped by practical experience with various ESPs, DNS providers, and the diverse reactions of mailbox providers.

Marketer view

Email marketer from Email Geeks notes that major players like Google and Elon Musk's companies often use ~all, implying that a softer SPF policy is sufficient even for large entities. This suggests that strict hardfail policies may not be universally adopted or considered necessary by all major senders. Their reasoning often points to the complexities of managing dynamic IP infrastructures.

19 Jan 2019 - Email Geeks

Marketer view

Email marketer from Email Geeks contends that while -all might appear more secure, the real debate lies in how ISPs like Gmail, Yahoo, Hotmail, and Comcast treat these authentication configurations. They emphasize the need for ecosystem-wide data to understand the actual impact on deliverability.

19 Jan 2019 - Email Geeks

What the experts say

Email deliverability experts emphasize a nuanced understanding of SPF, DKIM, and DMARC. They often highlight the practical limitations of SPF's hardfail policy (-all) in real-world scenarios, particularly when compared to the comprehensive capabilities of DMARC for policy enforcement and abuse reporting. Their insights often come from extensive experience managing large-scale email systems and dealing with diverse ISP behaviors.

Expert view

Email expert from Email Geeks explains that the choice of SPF policy, whether -all or ~all, doesn't make a significant difference for spoofing because a bad actor can use any domain for the MAIL FROM while still spoofing the FROM header. This highlights a fundamental limitation of SPF for comprehensive spoofing prevention.

20 Jan 2019 - Email Geeks

Expert view

Email expert from Email Geeks clarifies that an IP address failing SPF when the policy is -all means the email should be rejected according to the RFC (Request for Comments) specification. This technical adherence, however, often leads to complaints from senders who don't expect such strict enforcement.

20 Jan 2019 - Email Geeks

What the documentation says

Email authentication documentation, particularly RFCs, provides the foundational rules for SPF, DKIM, and DMARC. While SPF specifies the ~all (softfail) and -all (hardfail) mechanisms, the evolution of email security has led to DMARC becoming the primary protocol for expressing sender policy preferences concerning unauthenticated mail. Understanding the original intent and current real-world application is key.

Technical article

Documentation from RFC 7208 (SPF) describes the -all mechanism as a hardfail, meaning that if the client IP address does not match any allowed mechanisms, the result is fail. The message should be rejected or discarded.

24 Apr 2014 - RFC 7208

Technical article

Documentation from RFC 7208 (SPF) defines the ~all mechanism as a softfail, which indicates that the client IP address is not authorized, but the receiving server may still accept the message. It suggests that the message should be treated with suspicion, but not necessarily rejected.

24 Apr 2014 - RFC 7208

14 resources

Start improving your email deliverability today

Get started