What do SPF all qualifiers mean and how should they be used?

Key findings

• Neutral result: The ?all qualifier results in a 'neutral' SPF outcome, meaning no definite assertion (positive or negative) is made about the sending client. This effectively renders the SPF record inactive for enforcement purposes.
• Functionally inactive: A 'neutral' result is treated the same as a 'none' result by recipients, indicating that SPF is not actively providing a policy for unauthorized senders. This means emails from unauthorized sources might still be accepted without specific flags.
• Enforcement levels: For SPF to have any real impact on email authentication and deliverability, the record must end with either ~all (softfail) or -all (fail).
• Strictness vs. flexibility: The choice between ~all and -all largely depends on your domain's sending practices and risk tolerance. While -all offers stricter protection, it can lead to legitimate emails being rejected if not perfectly configured. For more details on this choice, refer to our guide on SPF ~all vs -all.

Key considerations

• Avoid ?all: Unless you are in a very specific testing phase, ?all should not be used in a production SPF record as it negates the security benefits of SPF.
• Avoid +all: +all explicitly allows any server to send mail on behalf of your domain, making it highly susceptible to spoofing and often leading to emails being marked as spam or blocklisted.
• Best practice: Most domains should aim for ~all as a starting point, transitioning to -all only when they have a comprehensive understanding of all their sending sources, often achieved through DMARC reporting and monitoring. The RFC documentation clarifies the definitions of these results.
• DMARC interaction: Even with ?all or ~all, a DMARC policy (especially at p=reject or p=quarantine) will still enforce policies based on SPF alignment. However, the SPF qualifier itself plays a critical role in the initial authentication signal. The IETF RFC 7208 provides a comprehensive overview of SPF, including its section on results.

Key opinions

• Testing vs. production: The ?all qualifier is seen as suitable only for testing SPF records on non-production domains, as it essentially makes the record inactive for enforcement.
• Impact of +all: Using +all is widely considered detrimental to deliverability, as it signals that any server is authorized to send email for the domain, significantly increasing spam scores.
• Production standard: Marketers recognize that for any enforcement or deliverability benefit, a production SPF record must end with either ~all or -all. Most start with ~all for its balance of security and flexibility.
• Overly broad records: Some mailbox providers (MBPs) may treat overly broad SPF records, such as those using +all, differently than intended, potentially leading to increased spam classifications. This highlights the need for careful configuration when setting up your SPF TXT record.

Key considerations

• Prioritize enforcement: If you want SPF to be effective in preventing spoofing and improving deliverability, ensure your record ends with ~all or -all.
• Monitor performance: Regularly check your email deliverability and authentication reports to understand how different qualifiers impact your sender reputation. While SPF is crucial, it's just one part of overall email deliverability strategy.
• DMARC integration: Use DMARC in conjunction with SPF and DKIM for comprehensive email authentication. DMARC policies provide instructions on how receiving servers should handle emails that fail authentication, giving you greater control. Learn more about DMARC, SPF, and DKIM.

Key opinions

• Neutral as 'none': Experts confirm that a 'neutral' SPF result (from ?all) must be treated exactly like a 'none' result, effectively meaning there is no definite policy assertion.
• Functional inactivity: While ?all isn't literally inactive, experts agree it's functionally the same for most receivers, offering no real protection or enforcement.
• Misuse of ?all: The use of ?all is often interpreted as a sign of poor configuration or a lack of understanding of SPF, and should be avoided in production.
• Risks of +all: Experts strongly advise against +all, as it essentially invalidates SPF's purpose and can lead to emails being heavily penalized or classified as spam. Learn how this can contribute to emails going to spam.

Key considerations

• Default to ~all: The consensus among experts is to use ~all as the standard qualifier. It provides a good balance, marking non-compliant emails as 'softfail' while reducing the risk of legitimate emails being dropped compared to -all.
• Understand implications: Before implementing -all, ensure all legitimate sending sources are explicitly included in your SPF record to prevent delivery failures. This meticulous approach helps prevent intermittent email delivery failures.
• DMARC's role: While SPF qualifiers provide immediate instructions, DMARC can layer on top to provide a more robust policy for handling SPF authentication failures. Even if an SPF qualifier might contradict a DMARC policy in theory, operational systems might treat them similarly for DMARC evaluation. For a deeper understanding of this interaction, consider consulting the SPF record syntax.

Key findings

• Result definitions: The RFC clearly defines the four main SPF results corresponding to the qualifiers: Pass (+all), Fail (-all), SoftFail (~all), and Neutral (?all).
• Neutral's equivalence: RFC 7208 explicitly states that a neutral result must be treated exactly like the none result, existing only for informational purposes rather than enforcement. This reinforces that ?all offers no policy.
• Default pass: If no qualifier is explicitly stated for a mechanism, the default qualifier is +all (pass), meaning it will allow mail from that source. This underlines the importance of explicitly stating qualifiers for desired policy outcomes.
• Policy application: The RFC details how each qualifier influences the receiving server's decision, from outright acceptance with +all to definitive rejection with -all. This technical framework is crucial for anyone looking to understand the full form of SPF.

Key considerations

• RFC compliance: Adhering to RFC specifications is paramount for ensuring interoperability and expected behavior across various mail systems. Deviations can lead to unpredictable deliverability issues.
• Security implications: Documentation highlights that only -all and ~all provide a policy that can prevent unauthorized sending, with -all being the strongest. The others (e.g., +all, ?all) offer no meaningful protection against spoofing. This is crucial for understanding how SPF record syntax impacts security.
• Interaction with DMARC: While RFCs primarily define SPF's standalone behavior, it's understood that DMARC builds upon these results. A neutral SPF result may lead DMARC to rely solely on DKIM for authentication or apply a 'none' policy.