SPF ~all vs -all: Soft Fail vs Hard Fail

TL;DR: The bit at the end of your SPF record decides what happens to mail from servers not on your list. -all is a hard fail ("reject it"); ~all is a soft fail ("accept but mark suspicious"). For most domains the right answer is -all, paired with an enforced DMARC policy. Scan your domain free to see which you're using.

What the qualifier means

Which should you use?

Use -all once you're confident every legitimate sender is included in your SPF record — it's the strict, correct setting. ~all is a safer starting point while you're still confirming your senders, because it won't hard-bounce mail if you missed one. But left on ~all forever, you're weaker than you think: a spoofed message may still slip through as "suspicious" rather than rejected.

The nuance: with DMARC at enforcement, the SPF qualifier matters less, because DMARC makes the final block decision. The strongest setup is -all and DMARC p=reject.

The common mistake

Many domains sit on ~all with DMARC at p=none — and assume they're protected. They're not: soft fail plus monitor-only means nothing actually blocks a forgery. Tighten one or both.

FAQ

Will -all block my real email?

Only if a legitimate sender isn't in your SPF record. List every sending service first (and watch the 10-lookup limit), then switch to -all.

Is ~all ever the right choice?

As a temporary, safer default while you verify senders, yes. As a permanent setting, prefer -all with enforced DMARC.

What does ?all do?

Neutral — it expresses no policy and gives you essentially no SPF protection. Avoid it.

Not sure if your SPF is too loose? Scan your domain, then reply to your report — we're developers and we'll set your SPF (and DMARC) to the right strictness without breaking your mail.