When should I use SPF hard fail vs soft fail?

Email marketer from URIports shares that if you receive direct emails only, and are fully aware of who is sending emails on your behalf, use Hard Fail. If you send emails using third-party services, use Soft Fail.

Email marketer from Reddit states that softfail is generally safer because it accounts for forwarding. If you use hardfail, forwarded emails are more likely to be marked as spam.

Email marketer from Mailhardener mentions that softfail is the most universally supported setting and is a good choice for almost all use cases, with hardfail more appropriate for situations where absolute control is needed and forwarding isn't a concern.

Marketer from Email Geeks shares that using `-all` in an SPF record is fine if: 1. The domain sends no mail ("v=spf -all"); 2. The domain is ONLY used in direct mail flows; 3. The domain owner doesn't care if messages passing through intermediate hops are rejected; 4. The domain owner desires that messages passing through intermediate hops are rejected.

Marketer from Email Geeks explains that if confident the SPF record is correct, she uses -all to ensure messages failing SPF are rejected, indicating different purposes for hard vs soft fail.

Marketer from Email Geeks explains that SPF hard fail comes with a risk that the message will be rejected early in the transaction, before DKIM and DMARC can be evaluated.

Email marketer from EasyDMARC advises using softfail (`~all`) if you are unsure about all your sending sources or if you anticipate legitimate forwarding. Hardfail (`-all`) is recommended only if you are completely confident in your SPF record and want to strictly reject unauthorized senders.

Email marketer from StackExchange responds that `-all` means that you are stating that no other server should ever be sending email for your domain. `~all` means that you are still checking that it matches SPF, but you are willing to trust those that have been misconfigured. Best practice is to use `~all`.

Email marketer from MXToolbox explains that the primary difference is how receiving servers treat the email. Hard Fail tells the receiving server that the email should be rejected. Soft Fail tells the server to accept the email but mark it as suspicious.

Expert from Spam Resource explains that if you are confident that the only emails originating from your domain are the ones you intend, use `-all` (hard fail). If you use 3rd party services that send mail, you should use `~all` (soft fail).

Expert from Word to the Wise responds that if you use a hard fail and a forwarding service forwards mail, the forwarded message will fail SPF and may be rejected. Unless you fully understand SPF and email authentication, stick with soft fail (~all).

Expert from Email Geeks states that she's not sure there are large receivers who actually block on SPF fail reliably and that it’s hard data to collect.

Documentation from Google Workspace Admin Help explains that using `~all` (softfail) is generally recommended because it allows for legitimate email that might not perfectly align with your SPF record (due to forwarding or other issues) to still be delivered. Hardfail (`-all`) is stricter and might cause legitimate emails to be rejected.

Documentation from DMARC.org shares that while hardfail (`-all`) provides stronger enforcement, softfail (`~all`) is often preferred to avoid inadvertently blocking legitimate email due to common issues like forwarding. They recommend assessing your mail flow and tolerance for false positives when making the decision.

Documentation from Microsoft Learn suggests starting with a softfail (`~all`) to monitor the impact of SPF on your email traffic. After you are confident that your SPF record is accurate and complete, you can consider switching to a hardfail (`-all`) for stricter enforcement.