Should I use ~all or -all in my SPF record?

Email marketer from Mailhardener shares that using '-all' can potentially cause issues with legitimate email if SPF is not perfectly configured. '~all' is more forgiving but might result in more spam reaching inboxes if DMARC is not in place. They recommend proper testing and monitoring when implementing SPF.

Email marketer from StackOverflow answers that '~all' provides a safety net, allowing for potential misconfigurations without immediately blocking legitimate emails, while '-all' is stricter and ensures that only authorized sources are accepted. Recommends starting with '~all' and transitioning to '-all' once confident in the SPF setup.

Email marketer from EasyDMARC explains that '-all' is a hard fail, telling receiving servers to reject emails that don't pass SPF. '~all' is a soft fail, telling receiving servers to accept the email but mark it, usually as spam. They suggest considering DMARC implementation, as it can override SPF results.

Email marketer from MXToolbox explains that '~all' (Soft Fail) is a more lenient setting for your SPF record. If the receiving server sees an email from your domain that fails SPF, it will still accept the message. The server may mark it as spam or junk. '-all' (Hard Fail) option gives a clear directive: reject emails from sources not listed in the SPF record. This offers a more secure and explicit declaration of your authorized sending sources.

Email marketer from EmailonAcid shares the importance of making sure your SPF record is set up correctly. If you have a DMARC record that tells email providers to reject email that doesn't authenticate, it doesn't matter which option you use for your SPF record. If you don't have DMARC, they say to use -all.

Email marketer from Email Geeks shares that they favor ~ALL (softfail) because they’ve seen some email hosts (web hosting services in particular) that abruptly start honoring -ALL (hardfail) which can make legit mail fail if everything isn’t squared away.

Email marketer from Reddit suggests that in modern email setups with DMARC, the choice between '~all' and '-all' is less critical. If DMARC is properly implemented with a policy of 'reject', the DMARC policy will handle SPF failures. Therefore, focus should be on ensuring DMARC is correctly configured.

Email marketer from AuthSMTP explains that -all will hard fail, with the intent that the email should be rejected, whilst ~all is a 'soft fail', meaning that the email should be accepted but may be flagged in some way, for example it may be sent to the recipient's spam folder. -all is recommended.

Expert from Word to the Wise explains that SPF prevents forgery of the envelope sender address, which is used for bounce processing. It does not prevent display name spoofing, content spoofing, or reply-to spoofing. She concludes that SPF is a piece of the puzzle, but not the whole answer.

Expert from Email Geeks explains that SPF does not prevent spoofed emails and publishing SPF records is now a best practice.

Expert from Email Geeks explains that if DMARC p=reject is implemented, ~all is probably the way to go. If not, then it’s a more complex discussion, but they still vote for -all.

Expert from Spam Resource explains that if you have implemented DMARC p=reject, ~all is probably the way to go. If not, then it’s a more complex discussion, but they still vote for -all.

Expert from Email Geeks responds that it doesn’t really matter whether to use “~all” or “-all” in an SPF record and tends to recommend ~all out of habit.

Documentation from Google Workspace Admin Help explains that -all (Fail) indicates that emails from a domain that do not match the SPF record should be rejected. ~all (Softfail) indicates that emails from a domain that do not match the SPF record should be accepted but marked.

Documentation from RFC 7208 defines the 'all' mechanism in SPF records. It explains that 'all' always matches and can be qualified with '+', '-', '~', or '?' to specify the desired result. '-all' results in a 'fail' result, while '~all' results in a 'softfail' result. This document highlights the technical specifications of the 'all' mechanism.

Documentation from Microsoft explains that a hard fail in SPF records (-all) instructs recipient servers to reject messages that fail SPF authentication. This indicates the domain owner has explicitly stated that the server is not authorized to send emails on behalf of the domain. A soft fail (~all) instructs recipient servers to accept messages that fail SPF authentication but mark or treat them as suspicious. This provides a more lenient approach, allowing for potential misconfigurations or legitimate senders not yet included in the SPF record. They also state that DMARC can use SPF results as part of its authentication checks.

Documentation from DMARC.org explains that the practical difference between ~all and -all has diminished with the adoption of DMARC. With DMARC properly configured, the DMARC policy dictates the handling of SPF failures, making the choice less critical. It recommends ensuring DMARC is implemented correctly.