Chat +1-888-563-5277 [email protected]

SPF Authentication: SPF-all vs ~all

What is SPF? Sender Policy Framework (SPF) lets the admin specify what IP addresses are allowed to send emails on a domain’s behalf. This authorization is published as a TXT record in the DNS Provider (Cloudflare, GoDaddy, etc.). Note that SPF checks against the 5321.MailFrom address (also known as Return-Path, Envelope From, or Bounce address) to authorize sending IP addresses. The recipient’s mail server, if it adheres to the sender’s domain’s SPF policy, should act in accordance with the published SPF policy. In this article, we’ll discuss why you should use SPF -all vs ~all?

SPF Record: what does it look like?

SPF TXT record starts with the SPF version indicator followed by all the ‘whitelisted’ IP addresses that are authorized to send emails on a domain’s behalf, ending with an all tag (-all, ~all, +all, ?all) indicating what policy should be applied to email when MBPs (Mailbox Providers like Google, Microsoft, Yahoo!, etc.) detect that mail was sent from servers / IP addresses not listed in the SPF record. Also, check our free SPF Record check tool.

SPF Record Example:

v=spf1 ip4: ip4: ip6:2001:db8:0:1234:0:567:8:1 -all

  1. v=spf1: SPF record should always start with v=spf1 version number.
  2. ip4 and ip6 mechanisms: Lists the single IP address (e.g and 2001:db8:0:1234:0:567:8:1) or IP subnets (e.g. ip4: that are authorized to send emails on a domain’s behalf. Note that IPv4 addresses should be prefixed as “ip4”, and IPv6 as “ip6” tags.
  3. “include” mechanism: Used to authorize third-party services that are used to send emails on your domain’s behalf. In this example, the “” authorizes Google Workspace (formerly G Suite) to send emails on behalf of your domain.
  4. “all” mechanism: In this example, the “-all” (Fail) tag is used. Tags include:
    1. -all (Fail): email from servers / IP addresses, not listed in the SPF record, should be rejected.
    2. ~all (SoftFail): emails from servers / IP addresses, not listed in the SPF record, should be accepted but marked 
    3. +all (Pass): any servers can send emails on your domain’s behalf. We highly recommend not to use this option
    4. ?all (Neutral): Interpreted as None / No policy. We highly recommend not to use this option.

For generating an SPF Record, check our SPF Generator tool.

Also, read our ultimate guide about SPF to improve email delivery.


SPF -all vs ~all: what should I use? 

Before DMARC adoption (in 2012), SPF alone (which was introduced in 2004) played a major role, despite its limitations, in fighting against Return-Path or MailFrom email spoofing attempts. MBPs applied rules based on the admins’ expressed SPF record policies (~all or -all). Thus, this caused major issues with blocking legitimate emails due to SPF configuration errors, which led the majority and well-known MBPs to use both SoftFail (~all) and Fail (-all) as accept but mark method.

We at EasyDMARC advise our users to publish SPF records with SoftFail (~all) for 3 main reasons:

  1. Since DMARC adoption, MBPs use domains’ DMARC policies (p=quarantine or p=reject) to apply rules on the failed emails. SPF ~all is the same as -all, stating “Not Passed” or “SPF Fail”
  2. Using SPF ~all can make the debugging process of DMARC Aggregate reports easier (Identifying Return-Path addresses)
  3. Once in a while, you may come across some not-well-known MBPs who still treat SPF “Fail” and “SoftFail” as it was originally intended and produce various false-positive results with bouncing legitimate emails. Thus this can be avoided with ~all.

Next Steps

Optimizing SPF records can be pretty challenging. Also, check our guide.

Also, check our SPF Raw Checker to validate your SPF Record prior to implementing it in your DNS.


Business email compromise (BEC) - 2021 Cybersecurity Problem

Security analysis and predictions for 2021 show that there will be dramatic increases in the number of phishing attacks against cloud-based email. Risk management and security leaders must ensure their solutions stay up-to-date for this changing landscape to protect against cyber attacks. EasyDMARC stays...

Read More

How to explain DKIM in plain English?

DKIM allows the recipient server to make sure (or to verify) that the received message was sent by the genuine sender of the associated domain and that content of the original message was not altered on its way. So let's figure out how to...

Read More

No SPF Record Found: how to fix SPF record issues?

What is an SPF Record? This is a special DNS TXT Record. It lists the IP addresses from which you can send emails on behalf of the domain. How to set up an SPF Record and what happens if there is “No SPF Record...

Read More