Suped

What are the considerations for using soft fail vs hard fail in SPF policies?

11 Marketer opinions6 Expert opinions5 Technical articles4 Resources

Summary

Choosing between SPF soft fail (~all) and hard fail (-all) policies requires careful consideration of deliverability and security trade-offs. Experts and documentation generally advise against hard fails, as they can override DMARC, cause legitimate emails to be rejected before DKIM/DMARC checks, and negatively impact deliverability. Soft fails, while more forgiving, can lead to inconsistent deliverability due to varying interpretations by receiving mail servers. It's widely recommended to use SPF in conjunction with DMARC, starting with a monitoring policy (p=none) to gather data and gradually increase enforcement. Understanding how receivers handle failing emails and ensuring that legitimate sources are included in the SPF record are also crucial.

Key findings

  • Hard Fail Risks: Hard fails can override DMARC, cause rejection of legitimate emails, and negatively impact deliverability.
  • Soft Fail Flexibility: Soft fails offer flexibility but can lead to inconsistent deliverability and potential spam placement.
  • DMARC Importance: DMARC is essential for managing SPF policies, handling negative assertions, and preventing unauthorized bulk emails.
  • Receiver Discretion: Receiving mail systems ultimately decide how to handle emails that fail SPF, but best practice is to let DMARC dictate.
  • Monitoring Recommended: Starting with a DMARC monitoring policy (p=none) is recommended to gather data and avoid unintended consequences.

Key considerations

  • DMARC Policy: Implement a DMARC policy to manage how receivers handle failing mail and prevent spoofing.
  • Policy Enforcement: Gradually increase enforcement based on DMARC data to minimize disruptions and false positives.
  • Legitimate Sources: Ensure legitimate email sources are included in the SPF record to avoid rejection.
  • Email Server Handling: Understand that receiving mail servers can handle soft and hard fails differently.
  • Deliverability Impact: Carefully assess the potential impact on deliverability when choosing between soft and hard fails.

What email marketers say
11Marketer opinions

When configuring SPF policies, the choice between soft fail (~all) and hard fail (-all) involves trade-offs between deliverability and security. Hard fails offer more explicit instructions to receiving servers, potentially preventing spoofing and phishing, but risk rejecting legitimate emails from sources not explicitly included in the SPF record. Soft fails are more forgiving, allowing for greater flexibility, but may result in inconsistent deliverability and potential placement in spam folders. It's generally recommended to use DMARC in conjunction with SPF to manage email authentication policies. Starting with a monitoring mode (p=none) and gradually increasing enforcement based on collected data helps prevent unintended consequences.

Key opinions

  • Hard Fail Risks: Hard fails can lead to rejection of legitimate emails and parsing issues.
  • Soft Fail Flexibility: Soft fails provide flexibility but can result in inconsistent deliverability.
  • DMARC Importance: DMARC is crucial for managing SPF policies effectively.
  • Monitoring Phase: Starting with DMARC monitoring mode is recommended to assess impact.
  • SPF Failure Impact: Both soft and hard SPF failures can negatively affect deliverability.

Key considerations

  • Deliverability Impact: Assess the potential impact on deliverability for both hard and soft fails.
  • Legitimate Sources: Ensure legitimate email sources are included in the SPF record to avoid rejection.
  • DMARC Integration: Implement DMARC to manage SPF policies and monitor authentication results.
  • Gradual Enforcement: Gradually increase SPF enforcement based on DMARC data to minimize disruptions.
  • Mail Server Behavior: Be aware that receiving mail servers handle soft fails and hard fails differently.
Marketer view

Email marketer from Reddit suggests setting up DMARC in monitoring mode (p=none) first to gather data before implementing a hard fail in SPF, to avoid unintended consequences with legitimate email sources.

May 2022 - Reddit
Marketer view

Email marketer from GlockApps explains that any SPF failure (soft or hard) can negatively impact deliverability, but hard fails are more likely to result in immediate rejection. Soft fails might land in spam.

June 2024 - GlockApps
Marketer view

Email marketer from DMARC Analyzer shares that using SPF with a hard fail (`-all`) and DMARC can help prevent spoofing and phishing attacks, but emphasizes the importance of monitoring DMARC reports to avoid false positives.

July 2023 - DMARC Analyzer
Marketer view

Email marketer from StackExchange explains, generally speaking a softfail is a warning while a hardfail is an instruction. The actual implementation is up to the receiving server.

November 2021 - StackExchange
Marketer view

Email marketer from MXToolbox explains both softfail and hardfail can lead to deliverability problems. But softfail provides the receiving server with more flexibility.

July 2024 - MXToolbox
Marketer view

Email marketer from Mailhardener notes hardfail ensures clear instruction for receivers, but may cause legitimate emails from forwarders or services not in the SPF record to be rejected.

December 2023 - Mailhardener
Marketer view

Marketer from Email Geeks shares that hard fail runs the risk of reject before message content can be accepted and parsed for DKIM and DMARC checks.

December 2023 - Email Geeks
Marketer view

Email marketer from Mailhardener shares that softfail is more forgiving. Although, can lead to inconsistent deliverability since the handling is left to the recipient server.

December 2021 - Mailhardener
Marketer view

Email marketer from Postmark recommends starting with a DMARC policy of `p=none` (monitoring mode) and gradually moving to `p=quarantine` and `p=reject` after carefully analyzing the DMARC reports. Doing this helps you understand the impact of your SPF and DKIM configurations before fully enforcing them.

September 2023 - Postmark
Marketer view

Email marketer from EasyDMARC mentions that SPF softfail should be used with caution, as the results are unpredictable and are dependent on the receiving mail server’s implementation. Hardfail is more direct, but could negatively impact legitimate emails.

June 2022 - EasyDMARC
Marketer view

Marketer from Email Geeks references RFC 7208 stating that there should be no rejection solely because of an SPF failure when the SPF record ends in ~all, because that is a softfail.

August 2023 - Email Geeks

What the experts say
6Expert opinions

Experts generally recommend using a soft fail (~all) over a hard fail (-all) in SPF policies. A hard fail can sometimes override DMARC and lead to legitimate emails being blocked. Soft fails allow receiving mail servers to handle messages as they see fit, aligning with SPF's advisory intent. DMARC is crucial for managing SPF policies and handling negative policy assertions, especially to prevent unauthorized bulk emails. It's important to consider how strictly you want receivers to treat failing mail, with hard fails instructing rejection and soft fails suggesting caution.

Key opinions

  • Soft Fail Preference: Experts recommend using soft fail (~all) over hard fail (-all).
  • Hard Fail DMARC Override: Hard fail can override DMARC settings, causing unintended blocking.
  • DMARC Importance: DMARC is essential for managing SPF and handling negative policy assertions.
  • SPF Advisory Nature: SPF was intended to be advisory, giving receivers discretion in handling mail.
  • Bulk Email Prevention: DMARC is a partial solution for preventing unauthorized bulk emails.

Key considerations

  • DMARC Policy: Implement a DMARC policy to manage how receivers handle failing mail.
  • Receiver Handling: Consider how strictly you want receivers to treat mail that fails SPF.
  • Policy Enforcement: Ensure proper DMARC setup to prevent blocking legitimate emails.
  • SPF Configuration: Configure SPF to work in conjunction with DMARC for optimal email authentication.
  • Unintended Consequences: Avoid hard fails that can override DMARC settings.
Expert view

Expert from Email Geeks explains that `-all` can sometimes override DMARC and cause blocking before DKIM is checked. He suggests `~all` is better as it passes the blocking question on to the DMARC policy.

August 2023 - Email Geeks
Expert view

Expert from Word to the Wise responds that the main consideration is how strictly you want receivers to treat mail that fails SPF. Using a hard fail (-all) tells receivers to reject the message, while a soft fail (~all) is a suggestion to treat the mail with caution. He recommends using DMARC policy to handle this.

July 2024 - Word to the Wise
Expert view

Expert from Email Geeks explains using `~all` encourages mailbox providers to treat SPF records as intended. He adds with SPF and DKIM being positive assertions, negative policy assertions can be cleanly left in DMARC.

August 2024 - Email Geeks
Expert view

Expert from Email Geeks shares a blog post covering SPF all or all updated for 2024.

January 2022 - Email Geeks
Expert view

Expert from Spam Resource shares that you should embrace the tilde (~all). This is because SPF was initially intended to be advisory, and in a perfect world we should allow receivers to handle mail as they best see fit.

September 2024 - Spam Resource
Expert view

Expert from Email Geeks responds that DMARC is the right partial solution to stop unauthorized bulk emails. But only partial, as any random salesweasel can buy spamware, plug in their google apps credentials and spam away, 100% authenticated.

September 2024 - Email Geeks

What the documentation says
5Technical articles

Official documentation outlines the fundamental differences between soft fail (~all) and hard fail (-all) SPF policies. Soft fail suggests the IP is unauthorized but allows acceptance, while hard fail strongly recommends rejection. While SPF implementation is crucial for preventing spoofing, choosing between soft and hard fail needs careful consideration as the ultimate decision lies with the receiving mail system. Introducing a softfail initially allows for a gradual rollout of SPF policies.

Key findings

  • Soft Fail Definition: Soft fail (~all) suggests IP is not authorized, but accepts the message.
  • Hard Fail Definition: Hard fail (-all) strongly recommends rejecting the message.
  • Implementation Importance: Proper SPF implementation is vital for preventing email spoofing.
  • Receiver Discretion: The receiving mail system ultimately decides how to handle failing emails.
  • Gradual Rollout: Soft fail allows for a more gradual introduction of SPF policies.

Key considerations

  • Enforcement Strength: Decide how strictly you want receivers to treat unauthorized IPs.
  • Receiver Interpretation: Understand that receiving mail systems may handle fails differently.
  • Policy Introduction: Consider a soft fail approach when initially implementing SPF.
  • Deliverability Impact: Assess the potential impact on deliverability based on policy choice.
  • Spoofing Prevention: Prioritize SPF setup to mitigate email spoofing risks.
Technical article

Documentation from GitHub explains the practical differences between soft and hard fails are small as it's up to the individual mail system's discretion.

April 2024 - GitHub
Technical article

Documentation from ietf.org explains that a hard fail (using -all) indicates the mail server believes the IP address is not authorized, and the message should be rejected. This is a strong assertion.

October 2024 - ietf.org
Technical article

Documentation from Microsoft states that implementing SPF helps prevent spoofing and is an important part of email authentication setup. They don't explicitly recommend soft or hard fail, but emphasize proper configuration to avoid deliverability issues.

April 2024 - Microsoft
Technical article

Documentation from AuthSMTP advises using a softfail instead of hardfail, because it allows for a more gradual introduction of the SPF policy.

May 2021 - AuthSMTP
Technical article

Documentation from ietf.org explains that a softfail (using ~all) indicates that the mail server believes the IP address is not authorized, but is willing to accept the message. It is a weaker assertion than a hard fail.

October 2024 - ietf.org

Related resources
4Resources

SPF failures: Hard fail vs Soft fail
SPF failures: Hard fail vs Soft fail

There are two types of SPF failures - SPF softfail and SPF hardfail. A hardfail indicates that an email is not authorized, whereas a softfail means that an email has probably not been authorized.

Red Sift
SPF Authentication: SPF-all vs ~all | EasyDMARC
SPF Authentication: SPF-all vs ~all | EasyDMARC

SPF lets the admin specify what IP addresses are allowed to send emails on a domain’s behalf. Let's discuss SPF -all vs ~all?

EasyDMARC
SPF Failure: Typical Errors & How to Fix Them - Valimail
SPF Failure: Typical Errors & How to Fix Them - Valimail

Learn about classic SPF failures and what you can do to fix them. We'll cover all the best practices to help you avoid SPF issues & get to safer sending faster.

Valimail -
Gmail: SPF Issues - Cloud Computing & SaaS - Spiceworks ...
Gmail: SPF Issues - Cloud Computing & SaaS - Spiceworks ...

We have a client that is getting SPF errors returned on emails with Gmail. I’ve checked their Workspace Admin panel, and can’t find that anything is configured that would be causing these errors. I’ve tried Rebooting the ISP modem Flushing DNS caches on their machines Checking SPF for their domain online (which returns no issues) Checking the DNS/TXT records (which aren’t configured on their admin panel) The Errors range from “True Source IP failed SPF check” (521) to “Remote Protocol Error”...

Spiceworks Community

Related questions