What do SPF all qualifiers mean and how should they be used?

Summary

SPF 'all' qualifiers (+all, -all, ~all, ?all) dictate how receiving mail servers handle emails failing SPF authentication. +all allows all mail (disabling SPF), and is generally discouraged. -all is a hard fail, allowing only explicitly authorized sources. ~all is a soft fail, generally a pass with reporting. ?all is neutral (no assertion). Documentation clarifies that SPF qualifiers modify the mechanism's meaning: pass, fail, softfail, or neutral. Best practices advise publishing an SPF record upon domain registration, including all sending sources, and monitoring DMARC reports. ~all is often preferred initially, with -all possible later if confident in SPF record accuracy. SPF records, as highlighted, verify authorized IP addresses for a domain, aiding in email deliverability and security. Using `?all` signifies uncertainty and should be avoided in production.

Key findings

  • +all disables SPF and poses a risk: +all effectively disables SPF, making it dangerous to use. Some mail providers may mark these as spam.
  • ~all is the most recommended starting point: ~all is the most commonly recommended starting point, providing better compatibility.
  • -all enforces strict security: -all provides strict security, which can be beneficial, but requires a comprehensive SPF record.
  • ?all is not for live records: ?all indicates uncertainty and isn't appropriate for live SPF records; mostly for testing.
  • SPF helps prevent spoofing and spam: SPF helps prevent spammers from forging emails from your domain.
  • SPF record creation: Create the SPF record as soon as you register your domain.
  • Monitoring DMARC reports: Monitor DMARC reports for issues with email delivery and to help you fine tune the SPF record.

Key considerations

  • Inclusion of all sending sources: Ensure all legitimate sending sources are included in the SPF record.
  • Transitioning to -all: Transition to -all carefully, after confirming that the SPF record is correct.
  • Regular SPF testing: Regularly test your SPF record for issues.
  • SPF record accuracy: Maintaining an accurate and up-to-date SPF record is essential.

What email marketers say
14Marketer opinions

SPF all qualifiers (+all, -all, ~all, ?all) dictate how receiving mail servers handle emails that fail SPF authentication. +all allows all mail, effectively disabling SPF. -all is a hard fail, allowing only explicitly authorized sources. ~all is a soft fail, treated as a pass by many systems but allows for reporting. ?all is neutral, offering no assertion. Best practices generally advise against +all, recommend starting with ~all for monitoring, and potentially moving to -all when confident in SPF record accuracy. A well-configured SPF, aligned with DMARC, enhances email security and deliverability.

Key opinions

  • +all is dangerous: Using +all effectively disables SPF, as it allows any server to send emails on behalf of your domain.
  • ~all is a good starting point: The recommended best practice is to start with ~all for initial configuration and monitoring.
  • -all is stricter: -all provides stricter enforcement but requires accurate SPF records to avoid unintentionally blocking legitimate email.
  • SPF impacts deliverability: A well-configured SPF record improves email deliverability and helps prevent spam.
  • Mailbox providers treat SPF records differently: Some mailbox providers evaluate overly broad SPF records with +all differently, marking them as spam.
  • SPF aligns with DMARC: Correctly configured SPF aligns with DMARC policies, enhancing email security and deliverability.
  • SPF is for authorization: SPF verifies authorized IP addresses to prevent unauthorized sources from sending emails on behalf of the domain.

Key considerations

  • Record accuracy: Ensure your SPF record accurately includes all legitimate sending sources to avoid deliverability issues with stricter policies.
  • Monitoring: Regularly monitor DMARC reports to identify any needed adjustments to your SPF record.
  • Testing: Use testing and monitoring to transition from ~all to -all safely.
  • DMARC alignment: Aligning SPF with DMARC is crucial for robust email security.
  • Provider specific handling: Be aware that different mailbox providers may interpret SPF records differently.
Marketer view

Email marketer from easydmarc.com shares that SPF is used to verify the authorized IP addresses that are permitted to send emails on behalf of your domain. The SPF record is published in your domain’s DNS zone.

September 2024 - easydmarc.com
Marketer view

Marketer from Email Geeks shares that from the 2017 MAAWG "90% of emails with SPF +all is marked as spam at Yandex"

January 2023 - Email Geeks
Marketer view

Marketer from Email Geeks explains that `?all` in an SPF record means a failure should be treated as a neutral result, so not technically inactive but functionally similar for most receivers.

September 2023 - Email Geeks
Marketer view

Email marketer from StackOverflow recommends that in a production environment, you should use either `~all` (softfail) or `-all` (hard fail) at the end of your SPF record. The choice depends on how strictly you want to enforce SPF.

April 2023 - StackOverflow
Marketer view

Marketer from Email Geeks shares that some mailbox providers don't seem to like overly broad SPF records, and evaluate them differently to more restrictive ones. Only ever consider using a `?all` for genuine testing on a non-production domain.

August 2023 - Email Geeks
Marketer view

Marketer from Email Geeks explains: `+all`: Pass, Allow all mail. `-all`: Fail, "Only allow mail that matches one of the parameters (IPv4, MX, etc) in the record." `~all`: Softfail, Allow mail whether or not it matches the parameters in the record. `?all`: Neutral, No policy statement.

July 2023 - Email Geeks
Marketer view

Email marketer from wordtothewise.com recommends using ~all as a general best practice. Most systems treat it similarly to -all but can help avoid deliverability issues. They advise against +all as it effectively disables SPF.

July 2024 - wordtothewise.com
Marketer view

Marketer from Email Geeks says that if you want any enforcement (if you want SPF to be used _at all_ by the receiver) you need to end with either `~all` or `-all`.

December 2023 - Email Geeks
Marketer view

Email marketer from uriports.com shares that the SPF record's “all” mechanism determines how receiving mail servers should handle emails that fail SPF authentication. By correctly configuring the “all” mechanism with qualifiers, domain owners can align SPF with DMARC policies, thus enhancing email security and deliverability.

April 2024 - uriports.com
Marketer view

Email marketer from Spamhaus recommends that `+all` should never be used as it completely disables SPF protection. Both `~all` and `-all` offer varying levels of protection, with `-all` being the stricter option.

February 2024 - Spamhaus
Marketer view

Email marketer from Cloudflare explains that a well-configured SPF record helps prevent spammers from forging emails that appear to come from your domain, improving email deliverability and protecting your brand's reputation.

November 2021 - Cloudflare
Marketer view

Email marketer from Reddit explains that using `+all` is effectively the same as having no SPF record at all, as it allows any server to send emails on behalf of your domain. This is generally not recommended.

August 2023 - Reddit
Marketer view

Email marketer from An Email Marketing Forum states that the common best practice is to start with `~all` and monitor email deliverability. If issues arise, consider changing to `-all` once you're confident your SPF record is comprehensive.

February 2025 - An Email Marketing Forum
Marketer view

Email marketer from MXToolbox shares that you should use `-all` if you are certain that all legitimate email sources are included in your SPF record. Use `~all` if you want to allow for the possibility of legitimate emails coming from sources not listed in your SPF record, but still want the recipient to know that the email failed SPF.

January 2023 - mxtoolbox.com

What the experts say
9Expert opinions

SPF 'all' qualifiers determine how mail servers handle SPF authentication failures. +all allows any server to send mail (effectively disabling SPF). ?all indicates uncertainty and is not recommended for production. ~all (softfail) is generally preferred for its compatibility and reduced risk of mail being dropped. -all (hard fail) provides stricter enforcement. Experts recommend publishing an SPF record early, including all sending sources, and monitoring DMARC reports to refine the configuration. +all is only suitable for testing.

Key opinions

  • +all disables SPF: +all allows any server to send mail and negates SPF protection.
  • ?all is not for production: ?all signifies a lack of understanding and should not be used in live SPF records.
  • ~all is recommended: ~all offers good compatibility with lower risks, making it a common recommendation.
  • -all offers stricter enforcement: -all enforces SPF strictly, potentially dropping mail if not properly configured.
  • Early SPF records are beneficial: Publishing an SPF record as soon as a domain is registered is encouraged.

Key considerations

  • Source inclusion: Ensure all legitimate sending sources are included in your SPF record.
  • DMARC monitoring: Regular DMARC monitoring helps identify necessary SPF adjustments.
  • Testing SPF changes: Test SPF changes carefully, and monitor the impact using DMARC reports
  • Record Accuracy: Ensure that the SPF record is as accurate as possible.
Expert view

Expert from Word to the Wise responds to a question about testing SPF record changes. They state that if you aren't already using an SPF record, then make a guess and publish an SPF record, then pay attention to your DMARC reports for a few weeks to see what kind of changes are needed.

August 2021 - Word to the Wise
Expert view

Expert from Email Geeks shares that `?` would be used in testing your SPF record, doesn't really do much.

January 2025 - Email Geeks
Expert view

Expert from Email Geeks explains that `+` basically says anyone can be me, `?` says I'm not sure this is right so basically ignore it.

April 2023 - Email Geeks
Expert view

Expert from Email Geeks recommends a good rule of thumb is "use ~all". Almost everyone will treat that the same as "-all", but with less risk of mail being dropped.

November 2024 - Email Geeks
Expert view

Expert from Spam Resource states that using +all at the end of an SPF record effectively disables SPF filtering, as it tells receiving servers to accept mail from any source. This should only be used for testing and is strongly discouraged in production environments.

December 2024 - Spam Resource
Expert view

Expert from Email Geeks shares that `+all` is SPF speak for "I know what SPF is, and I'll have no truck with it".

July 2021 - Email Geeks
Expert view

Expert from Email Geeks shares that `?` is SPF speak for “I don’t know what I’m doing” and should never be in a real record.

June 2023 - Email Geeks
Expert view

Expert from Email Geeks mentions that `?all` and `+all` are never the right thing, unless you've read and understood the whole SPF RFC.

June 2022 - Email Geeks
Expert view

Expert from Word to the Wise explains that you should publish an SPF record as soon as you have a registered domain. The record should include the IP addresses, third parties, and ESPs who send mail on your behalf. They highly recommend ending your SPF record with ~all, as it has the least chance of causing issues.

September 2024 - Word to the Wise

What the documentation says
4Technical articles

SPF qualifiers modify the meaning of mechanisms in an SPF record. '+' signifies 'pass,' allowing all mail (though this is generally discouraged for security reasons). '-' denotes 'fail,' indicating that only explicitly authorized sources should send email. '~' represents 'softfail,' typically treated as a pass but allowing for reporting. '?' implies 'neutral,' conveying no assertion about authorization. If no qualifier is specified, '+' is assumed. SPF records list authorized IP addresses for a domain, enabling email servers to verify the legitimacy of incoming messages.

Key findings

  • SPF Qualifiers: SPF qualifiers are '+', '-', '~', and '?', which represent pass, fail, softfail, and neutral, respectively.
  • +all is discouraged: +all is generally incorrect and weakens SPF security because it explicitly allows all hosts to send mail.
  • -all is strict: -all means only explicitly authorized sources should send email.
  • ~all is a softfail: ~all is a softfail, often treated as a pass.
  • ?all is neutral: ?all indicates no assertion about authorization.
  • SPF records list authorized IP addresses: SPF records list authorized IP addresses for a domain.

Key considerations

  • Security implications: Using +all weakens email security, so it's generally not recommended.
  • Choosing the right qualifier: Selecting the appropriate qualifier depends on the desired level of enforcement and confidence in the accuracy of the SPF record.
  • Maintaining an accurate SPF record: Keep the SPF record up-to-date with all authorized sending sources.
Technical article

Documentation from authsmtp.com explains +all (PASS) which allows all mail, -all (FAIL) which only allows mail that matches one of the parameters, ~all (SoftFail) which allows mail whether or not it matches the parameters, and ?all (Neutral) which gives no policy statement.

April 2021 - authsmtp.com
Technical article

Documentation from dmarcian.com explains +all as explicitly allowing all hosts to send mail, which is usually incorrect and weakens SPF's security. -all means that only explicitly authorized sources should send email, which is stricter. ~all is a softfail, generally treated as a pass. ?all is neutral, indicating no assertion about whether the host is authorized.

October 2024 - dmarcian.com
Technical article

Documentation from ietf.org explains that SPF qualifiers modify the meaning of a mechanism. '+' is pass, '-' is fail, '~' is softfail, and '?' is neutral. If no qualifier is specified, '+' is assumed.

November 2024 - ietf.org
Technical article

Documentation from Microsoft Learn highlights that Sender Policy Framework (SPF) is a DNS record that lists all authorized IP addresses for a given domain. Email servers use this record to verify that incoming messages from your domain come from an authorized IP address. If a message doesn't come from an authorized IP address, the server can reject it.

November 2024 - Microsoft Learn