What do SPF all qualifiers mean and how should they be used?
Summary
What email marketers say14Marketer opinions
Email marketer from easydmarc.com shares that SPF is used to verify the authorized IP addresses that are permitted to send emails on behalf of your domain. The SPF record is published in your domain’s DNS zone.
Marketer from Email Geeks shares that from the 2017 MAAWG "90% of emails with SPF +all is marked as spam at Yandex"
Marketer from Email Geeks explains that `?all` in an SPF record means a failure should be treated as a neutral result, so not technically inactive but functionally similar for most receivers.
Email marketer from StackOverflow recommends that in a production environment, you should use either `~all` (softfail) or `-all` (hard fail) at the end of your SPF record. The choice depends on how strictly you want to enforce SPF.
Marketer from Email Geeks shares that some mailbox providers don't seem to like overly broad SPF records, and evaluate them differently to more restrictive ones. Only ever consider using a `?all` for genuine testing on a non-production domain.
Marketer from Email Geeks explains: `+all`: Pass, Allow all mail. `-all`: Fail, "Only allow mail that matches one of the parameters (IPv4, MX, etc) in the record." `~all`: Softfail, Allow mail whether or not it matches the parameters in the record. `?all`: Neutral, No policy statement.
Email marketer from wordtothewise.com recommends using ~all as a general best practice. Most systems treat it similarly to -all but can help avoid deliverability issues. They advise against +all as it effectively disables SPF.
Marketer from Email Geeks says that if you want any enforcement (if you want SPF to be used _at all_ by the receiver) you need to end with either `~all` or `-all`.
Email marketer from uriports.com shares that the SPF record's “all” mechanism determines how receiving mail servers should handle emails that fail SPF authentication. By correctly configuring the “all” mechanism with qualifiers, domain owners can align SPF with DMARC policies, thus enhancing email security and deliverability.
Email marketer from Spamhaus recommends that `+all` should never be used as it completely disables SPF protection. Both `~all` and `-all` offer varying levels of protection, with `-all` being the stricter option.
Email marketer from Cloudflare explains that a well-configured SPF record helps prevent spammers from forging emails that appear to come from your domain, improving email deliverability and protecting your brand's reputation.
Email marketer from Reddit explains that using `+all` is effectively the same as having no SPF record at all, as it allows any server to send emails on behalf of your domain. This is generally not recommended.
Email marketer from An Email Marketing Forum states that the common best practice is to start with `~all` and monitor email deliverability. If issues arise, consider changing to `-all` once you're confident your SPF record is comprehensive.
Email marketer from MXToolbox shares that you should use `-all` if you are certain that all legitimate email sources are included in your SPF record. Use `~all` if you want to allow for the possibility of legitimate emails coming from sources not listed in your SPF record, but still want the recipient to know that the email failed SPF.
What the experts say9Expert opinions
Expert from Word to the Wise responds to a question about testing SPF record changes. They state that if you aren't already using an SPF record, then make a guess and publish an SPF record, then pay attention to your DMARC reports for a few weeks to see what kind of changes are needed.
Expert from Email Geeks shares that `?` would be used in testing your SPF record, doesn't really do much.
Expert from Email Geeks explains that `+` basically says anyone can be me, `?` says I'm not sure this is right so basically ignore it.
Expert from Email Geeks recommends a good rule of thumb is "use ~all". Almost everyone will treat that the same as "-all", but with less risk of mail being dropped.
Expert from Spam Resource states that using +all at the end of an SPF record effectively disables SPF filtering, as it tells receiving servers to accept mail from any source. This should only be used for testing and is strongly discouraged in production environments.
Expert from Email Geeks shares that `+all` is SPF speak for "I know what SPF is, and I'll have no truck with it".
Expert from Email Geeks shares that `?` is SPF speak for “I don’t know what I’m doing” and should never be in a real record.
Expert from Email Geeks mentions that `?all` and `+all` are never the right thing, unless you've read and understood the whole SPF RFC.
Expert from Word to the Wise explains that you should publish an SPF record as soon as you have a registered domain. The record should include the IP addresses, third parties, and ESPs who send mail on your behalf. They highly recommend ending your SPF record with ~all, as it has the least chance of causing issues.
What the documentation says4Technical articles
Documentation from authsmtp.com explains +all (PASS) which allows all mail, -all (FAIL) which only allows mail that matches one of the parameters, ~all (SoftFail) which allows mail whether or not it matches the parameters, and ?all (Neutral) which gives no policy statement.
Documentation from dmarcian.com explains +all as explicitly allowing all hosts to send mail, which is usually incorrect and weakens SPF's security. -all means that only explicitly authorized sources should send email, which is stricter. ~all is a softfail, generally treated as a pass. ?all is neutral, indicating no assertion about whether the host is authorized.
Documentation from ietf.org explains that SPF qualifiers modify the meaning of a mechanism. '+' is pass, '-' is fail, '~' is softfail, and '?' is neutral. If no qualifier is specified, '+' is assumed.
Documentation from Microsoft Learn highlights that Sender Policy Framework (SPF) is a DNS record that lists all authorized IP addresses for a given domain. Email servers use this record to verify that incoming messages from your domain come from an authorized IP address. If a message doesn't come from an authorized IP address, the server can reject it.