Suped

Should I use SPF hardfail or softfail with DMARC?

12 Marketer opinions2 Expert opinions4 Technical articles5 Resources

Summary

Most email marketers, experts, and some documentation sources recommend using softfail (~all) with DMARC to avoid deliverability issues caused by hardfail (-all). Hardfail can lead to legitimate emails being rejected, especially when forwarding is involved or when some mail providers perform early SPF checks. Softfail allows DMARC to make the final decision. However, Microsoft documentation suggests using hardfail and considers softfail not to be a best practice, creating conflicting advice.

Key findings

  • Softfail Preference: A majority of sources recommend softfail (~all) with DMARC.
  • Hardfail Issues: Hardfail (-all) can cause legitimate emails to be rejected due to forwarding and early SPF checks.
  • DMARC's Role: Softfail allows DMARC to decide how to handle emails, improving deliverability.
  • Microsoft's Stance: Microsoft recommends using hardfail and considers softfail not to be a best practice, conflicting with other recommendations.
  • SPF vs DMARC: SPF fail results are not equivalent to DMARC fail results; therefore, using softfail allows DMARC to manage emails appropriately.
  • Obsolete Hardfail: Multiple experts state that SPF `-all` is obsolete with DMARC.

Key considerations

  • Forwarding: Consider how forwarding affects SPF checks, as hardfail can reject forwarded emails.
  • Provider Behavior: Be aware of mail providers that reject emails based on SPF hardfail before DMARC evaluation.
  • Conflicting Advice: Conflicting advice exists, requiring careful consideration of domain-specific needs.
  • Risk Tolerance: Evaluate your risk tolerance for potentially rejecting legitimate emails due to hardfail.
  • DMARC Policy Alignment: Ensure your choice aligns with your overall DMARC policy.

What email marketers say
12Marketer opinions

The consensus among email marketers and experts is that softfail (~all) is generally preferred over hardfail (-all) when using SPF with DMARC. Hardfail can cause legitimate emails to be rejected, especially due to forwarding issues or early SPF failures by some providers before DMARC evaluation. While hardfail is stricter, it can lead to unintended deliverability problems. Softfail allows DMARC to make the final decision, providing a safer approach to email authentication. However, Microsoft documentation recommends using hardfail.

Key opinions

  • Softfail Preference: Most sources recommend using softfail (~all) with DMARC to avoid rejecting legitimate emails.
  • Hardfail Issues: Hardfail (-all) can cause deliverability problems due to forwarding and early SPF checks.
  • DMARC's Role: Softfail allows DMARC to make the final decision on email handling, improving deliverability.
  • Hardfail is Obsolete: SPF `-all` is obsolete in the world of DMARC and to use `~all` outside of rare cases.

Key considerations

  • Forwarding: Consider how forwarding might affect SPF checks, as hardfail can cause forwarded emails to be rejected.
  • Provider Behavior: Be aware that some mail providers might reject emails based on SPF hardfail before even checking DMARC.
  • Platform Support: Check whether your email marketing platform fully supports SPF and DMARC configurations.
  • Microsoft Recommendation: Microsoft recommends using hardfail. Consider your deliverability needs.
Marketer view

Email marketer from Mailhardener responds that using a hardfail (-all) is more strict, and instructs the receiver to reject the email if it fails the SPF check. Softfail (~all) is less strict, and instructs the receiver to accept the email but mark it as suspicious. Softfail is generally preferred in conjunction with DMARC, as it provides the DMARC mechanism the opportunity to make the final decision.

June 2024 - Mailhardener
Marketer view

Marketer from Email Geeks explains that if you were evaluating only SPF, and DMARC wasn't even a thing, the `-all` would likely be better. But some MBPs will reject as soon as they see a failed `-all` , and never even get to DKIM/DMARC, but some of those providers now are taking effort to stop acting in such a way.

November 2023 - Email Geeks
Marketer view

Marketer from Email Geeks explains that if you want to give both SPF and DKIM a chance to contribute to a DMARC pass, don’t use -all in SPF.

April 2021 - Email Geeks
Marketer view

Marketer from Email Geeks confirms anecdotally that they had two clients who were told to use hardfail for security reasons and were seeing problems in DMARC reports. This is an issue because a lot of email marketing platforms don't support SPF anymore.

September 2022 - Email Geeks
Marketer view

Email marketer from Reddit shares that you should use softfail (~all) because some providers will reject mail as soon as they see `-all` and never even get to DKIM/DMARC.

June 2023 - Reddit
Marketer view

Email marketer from Word to the Wise responds that SPF `-all` is obsolete in the world of DMARC and to use `~all` outside of rare cases.

May 2022 - Word to the Wise
Marketer view

Email marketer from EasyDMARC responds that SPF can have 3 different results, Pass, Neutral and Fail. If you want to fail emails that dont match your SPF records then you will need to use hard fail. However EasyDMARC does not recommend doing that. This is because you might be losing emails. Start with soft fail then work your way up.

July 2021 - EasyDMARC
Marketer view

Email marketer from Reddit recommends using `~all` (softfail) unless you are absolutely certain that every email you send will pass the SPF check, to ensure that legitimate emails are not rejected.

March 2022 - Reddit
Marketer view

Marketer from Email Geeks recommends soft fail because some MTAs will evaluate SPF hard fail and bounce the message even if it's fully DMARC compliant with DKIM.

September 2022 - Email Geeks
Marketer view

Email marketer from StackExchange shares that using `-all` (hard fail) can cause issues with legitimate emails being rejected, especially when forwarding is involved. Softfail (`~all`) is generally recommended for better compatibility and deliverability when using DMARC.

June 2021 - StackExchange
Marketer view

Email marketer from Superuser explains to use softfail. If you use the hard fail then that means that there are possible legitimate emails that are rejected. This is more apparent when you have forwarded emails.

September 2021 - Superuser
Marketer view

Email marketer from EmailSecurity.org explains that a hard fail (`-all`) tells the receiving server that if an email fails the SPF check, it should be rejected. A soft fail (`~all`) tells the server that the email should be accepted but marked as suspicious. When combined with DMARC, soft fail is usually the safer option to avoid unintentionally blocking legitimate emails.

December 2023 - EmailSecurity.org

What the experts say
2Expert opinions

Experts from both Email Geeks and Word to the Wise agree that using `-all` (hardfail) in SPF records is outdated in environments where DMARC is implemented. They recommend using `~all` (softfail) instead.

Key opinions

  • Hardfail Obsolete: The consensus is that hardfail (`-all`) is no longer the recommended practice when DMARC is in use.
  • Softfail Recommendation: Both sources suggest using softfail (`~all`) as the appropriate setting for SPF records with DMARC.

Key considerations

  • DMARC Reliance: The advice is given in the context of using DMARC, which handles policy enforcement based on SPF and DKIM results.
  • Rare Exceptions: The recommendation to use softfail includes the caveat 'outside of rare cases,' implying there might be specific scenarios where hardfail could still be considered.
Expert view

Expert from Word to the Wise responds that SPF `-all` is obsolete in the world of DMARC and to use `~all` outside of rare cases.

June 2023 - Word to the Wise
Expert view

Expert from Email Geeks states that `-all` is obsolete in the world of DMARC and to use `~all` outside of rare cases.

June 2021 - Email Geeks

What the documentation says
4Technical articles

The documentation sources provide mixed guidance on using SPF hardfail or softfail with DMARC. DMARC.org recommends using `?all` or `~all` because SPF fail results are not equivalent to DMARC fail results. RFC7208 clarifies the technical difference between hardfail and softfail, where hardfail means rejection and softfail means marking as suspicious for DMARC's consideration. AuthSMTP recommends softfail to avoid incorrectly flagging legitimate emails. However, Microsoft suggests using hardfail and that softfail is not a best practice, creating conflicting advice among documentation sources.

Key findings

  • SPF vs DMARC Fails: DMARC.org highlights that SPF 'fail' results should not be treated the same as DMARC 'fail' results.
  • Hardfail Definition: RFC7208 states that hardfail (-all) instructs receiving servers to reject emails failing the SPF check.
  • Softfail Definition: RFC7208 states that softfail (~all) instructs receiving servers to accept emails but mark them as suspicious, allowing DMARC to decide.
  • AuthSMTP Recommendation: AuthSMTP recommends using softfail to prevent legitimate emails from being incorrectly affected by SPF validation errors.
  • Microsoft Recommendation: Microsoft advises using hardfail and considers softfail not to be a best practice.

Key considerations

  • Conflicting Guidance: There is conflicting advice, with some sources recommending softfail for better compatibility and others suggesting hardfail for stricter security.
  • DMARC Policy: The choice between hardfail and softfail depends on the desired DMARC policy and how aggressively you want to filter potentially unauthenticated emails.
  • False Positives: Using hardfail increases the risk of false positives, where legitimate emails are incorrectly rejected.
  • Specific Needs: The best practice depends on specific domain and sending infrastructure configurations. Evaluate send volume and how many legitimate mails are potentially being flagged and the risk tolerance regarding the rejection of legitimate mails.
Technical article

Documentation from AuthSMTP explains that 'Soft Fail' is generally recommended rather than the more aggressive 'Fail' to avoid genuine mail being affected by SPF validation errors. 'Soft Fail' instructs receiving servers to accept the email but mark it as possibly originating from an unauthorized source.

July 2023 - AuthSMTP
Technical article

Documentation from Microsoft responds that a hard fail means that mail servers that receive messages from your domain that fail the SPF check should reject them. It goes onto say that soft fail is not a best practice so should not be used.

February 2024 - Microsoft
Technical article

Documentation from DMARC.org shares that SPF `fail` results are not equivalent to DMARC `fail` results. Because of this, using `?all` or `~all` is recommended.

October 2022 - DMARC.org
Technical article

Documentation from RFC Editor (RFC7208) explains that the "-all" mechanism indicates a hard fail, meaning the email should be rejected if it doesn't match the SPF record. The "~all" mechanism indicates a soft fail, meaning the email should be accepted but marked as suspicious. DMARC policies can then use this information to decide how to handle the email, often quarantining it.

November 2024 - RFC Editor

Related resources
5Resources

SPF failures: Hard fail vs Soft fail
SPF failures: Hard fail vs Soft fail

There are two types of SPF failures - SPF softfail and SPF hardfail. A hardfail indicates that an email is not authorized, whereas a softfail means that an email has probably not been authorized.

Red Sift
SPF Softfail vs Hardfail - Valimail
SPF Softfail vs Hardfail - Valimail

Sender Policy Framework (SPF) is an email authentication method that uses the DNS to authorize which IPs can send mail on behalf of your domain. The syntax of SPF allows admins to define two kinds of failure scenarios for dealing with unauthorized mail: softfail and hardfail. Although the latter is formally just called a fail

Valimail -
SPF hard fail vs soft fail with forwarding - Technical Help - dmarcian ...
SPF hard fail vs soft fail with forwarding - Technical Help - dmarcian ...

Hi All, I switched to a DMARC reject policy and my SPF hard fail (“-all”). We send emails from different services, all of them are aligned in my SPF and have a valid DKIM signature. When we send emails to recipients who forward my emails (from work to personal inbox for example, or mailing list groups, etc.), this breaks my SPF alignment for the DMARC because the recipient re-send my email with his domain as envelope. However I have no problem as long as I have DKIM, but if I were to lose DK...

dmarcian forum
SPF Softfail is a Smarter Choice Than SPF Hardfail; Let's Find Out ...
SPF Softfail is a Smarter Choice Than SPF Hardfail; Let's Find Out ...

There’s a constant online debate about which is better - SPF softfail or SPF hardfail. While the former is considered less secure, the latter has the risk of

AutoSPF
SPF Authentication: SPF-all vs ~all | EasyDMARC
SPF Authentication: SPF-all vs ~all | EasyDMARC

SPF lets the admin specify what IP addresses are allowed to send emails on a domain’s behalf. Let's discuss SPF -all vs ~all?

EasyDMARC

Related questions