Chat +1-888-563-5277 Contact sales

SPF Authentication: SPF-all vs ~all

What is SPF? Sender Policy Framework (SPF) lets the admin specify what IP addresses are allowed to send emails on a domain’s behalf. This authorization is published as a TXT record in the DNS Provider (Cloudflare, GoDaddy, etc.). Note that SPF checks against the 5321.MailFrom address (also known as Return-Path, Envelope From, or Bounce address) to authorize sending IP addresses. The recipient’s mail server, if it adheres to the sender’s domain’s SPF policy, should act in accordance with the published SPF policy. In this article, we’ll discuss why you should use SPF -all vs ~all?

SPF Record: what does it look like?

SPF TXT record starts with the SPF version indicator followed by all the ‘whitelisted’ IP addresses that are authorized to send emails on a domain’s behalf, ending with an all tag (-all, ~all, +all, ?all) indicating what policy should be applied to email when MBPs (Mailbox Providers like Google, Microsoft, Yahoo!, etc.) detect that mail was sent from servers / IP addresses not listed in the SPF record. Also, check our free SPF Record check tool.

SPF Record Example:

v=spf1 ip4:172.16.254.1 ip4:213.22.138.0/24 ip6:2001:db8:0:1234:0:567:8:1 include:_spf.google.com -all

  1. v=spf1: SPF record should always start with v=spf1 version number.
  2. ip4 and ip6 mechanisms: Lists the single IP address (e.g 172.16.254.1 and 2001:db8:0:1234:0:567:8:1) or IP subnets (e.g. ip4:213.22.138.0/24) that are authorized to send emails on a domain’s behalf. Note that IPv4 addresses should be prefixed as “ip4”, and IPv6 as “ip6” tags.
  3. “include” mechanism: Used to authorize third-party services that are used to send emails on your domain’s behalf. In this example, the “_spf.google.com” authorizes Google Workspace (formerly G Suite) to send emails on behalf of your domain.
  4. “all” mechanism: In this example, the “-all” (Fail) tag is used. Tags include:
    1. -all (Fail): email from servers / IP addresses, not listed in the SPF record, should be rejected.
    2. ~all (SoftFail): emails from servers / IP addresses, not listed in the SPF record, should be accepted but marked 
    3. +all (Pass): any servers can send emails on your domain’s behalf. We highly recommend not to use this option
    4. ?all (Neutral): Interpreted as None / No policy. We highly recommend not to use this option.

For generating an SPF Record, check our SPF Generator tool.

Also, read our ultimate guide about SPF to improve email delivery.

SPF-Record-Generator

SPF -all vs ~all: what should I use? 

Before DMARC adoption (in 2012), SPF alone (which was introduced in 2004) played a major role, despite its limitations, in fighting against Return-Path or MailFrom email spoofing attempts. MBPs applied rules based on the admins’ expressed SPF record policies (~all or -all). Thus, this caused major issues with blocking legitimate emails due to SPF configuration errors, which led the majority and well-known MBPs to use both SoftFail (~all) and Fail (-all) as accept but mark method.

We at EasyDMARC advise our users to publish SPF records with SoftFail (~all) for 3 main reasons:

  1. Since DMARC adoption, MBPs use domains’ DMARC policies (p=quarantine or p=reject) to apply rules on the failed emails. SPF ~all is the same as -all, stating “Not Passed” or “SPF Fail”
  2. Using SPF ~all can make the debugging process of DMARC Aggregate reports easier (Identifying Return-Path addresses)
  3. Once in a while, you may come across some not-well-known MBPs who still treat SPF “Fail” and “SoftFail” as it was originally intended and produce various false-positive results with bouncing legitimate emails. Thus this can be avoided with ~all.

Next Steps

Optimizing SPF records can be pretty challenging. Also, check our guide.

Also, check our SPF Raw Checker to validate your SPF Record prior to implementing it in your DNS.

SPF-Raw-Checker

FreshDesk SPF and DKIM Setup: Step by Step

FreshDesk SPF and DKIM Setup: Step by Step

FreshDesk is a cloud-based software providing help desk support with all smart automations to...

Read More
Your Guide to Data Breach Response

Your Guide to Data Breach Response

Data breaches have become more prominent in number and impact. That’s why a quick...

Read More
iOS 15 and Effects on Email Campaigns

iOS 15 and Effects on Email Campaigns

iOS 15 is the recent Apple operating system update that includes major changes for...

Read More
×