Skip to content
Authentication

SPF qualifiers: -all vs ~all vs ?all explained

The qualifier on the all mechanism is your SPF policy: fail, softfail, neutral, or pass. What each one tells receivers and which to publish at each stage.

A qualifier is the single character in front of an SPF mechanism that decides the evaluation result when that mechanism matches. There are four: + (pass), - (fail), ~ (softfail), and ? (neutral). Because the all mechanism at the end of a record matches everything unlisted, the qualifier on all is effectively the domain's SPF policy, and the choice between -all, ~all, and ?all is the most consequential character in the record.

What each qualifier tells the receiver

-all declares that the listed mechanisms are the complete truth: mail from anywhere else is not ours, treat it as failing. ~all (softfail) says the list is probably complete: unlisted senders are suspect but the domain owner is not certain enough to demand rejection. ?all says the domain owner asserts nothing either way, which carries the same practical weight as publishing no policy. +all passes every server on the internet and is worse than no record: it is an explicit authorization of all spoofing, and some filters treat it as a spam signal in itself.

The four qualifiers at a glance

FeatureResult on matchMessage to receivers
-allfailUnlisted senders are not us; reject or junk with confidence
~allsoftfailUnlisted senders are suspect; accept but mark and scrutinize
?allneutralNo assertion; treat as if no SPF existed
+allpassEveryone may send as us; a misconfiguration and a spam signal

How receivers actually treat fail and softfail

Folklore says -all gets unauthorized mail rejected at the SMTP border while ~all gets it delivered to spam. Reality is softer: most large receivers treat a bare SPF fail as one strong signal among many rather than an automatic rejection, partly because forwarding legitimately breaks SPF and rejecting on fail alone would destroy forwarded mail. Some receivers, particularly smaller and stricter systems, do reject on fail. Softfail is nearly universally treated as accept-but-score.

DMARC changed the stakes of this choice. Under DMARC, what matters is whether SPF produces an aligned pass; fail, softfail, and neutral all equally contribute nothing, and the DMARC policy (not the SPF qualifier) decides the message's fate. A domain with DMARC at p=reject and ~all is not meaningfully weaker than one with -all, because DMARC carries the enforcement. The details live in the SPF alignment entry.

Qualifiers on other mechanisms

Any mechanism can carry a qualifier, not just all. A record like v=spf1 -ip4:203.0.113.66 include:_spf.esp.com -all explicitly fails one known-bad address before authorizing the rest, useful when a compromised host must be cut out of an otherwise valid range. These constructions are rare and easy to misread; when a record needs negative carve-outs, a comment in your DNS repository explaining why saves the next engineer an hour.

Choosing per lifecycle stage

The standard progression

  1. 1

    Inventory phase: ~all

    While discovering senders (ideally with DMARC p=none and aggregate reports flowing), softfail avoids breaking a forgotten legitimate source you have not authorized yet.

  2. 2

    Confident phase: -all

    Once DMARC reports confirm every legitimate source is listed and passing, move to -all (or keep ~all if DMARC enforcement is doing the policing; both are defensible).

  3. 3

    Non-sending domains: -all immediately

    Parked domains and pure web domains publish v=spf1 -all from day one. There is nothing to inventory.

  4. 4

    Never: +all or a missing all

    +all authorizes the entire internet, and a record without all leaves policy undefined. Both defeat the purpose of publishing SPF.

Frequently asked questions

Is ~all bad for deliverability?
No. Authorized mail passes identically under ~all and -all, so the qualifier does not affect your legitimate messages. The difference only concerns how receivers treat mail from unlisted servers.
Should I use -all if my users' mail gets forwarded a lot?
Forwarded mail fails SPF under any strict qualifier, which is unavoidable. The robust answer is DKIM, whose signatures survive forwarding, plus DMARC, rather than weakening the SPF qualifier.
What does SPF softfail look like in headers?
Authentication-Results will show spf=softfail with the evaluated domain. Gmail's "Show original" view labels it SOFTFAIL. It is accepted mail carrying a suspicion marker, not a bounce.
Why do some big companies publish ~all instead of -all?
Deliberate choice: with DMARC at enforcement, ~all provides equivalent protection while being marginally kinder to legacy forwarding paths at receivers that act on SPF alone. It reflects DMARC-era thinking rather than negligence.

Key takeaways

  • The qualifier on all is the domain's SPF policy: -all fails unlisted senders, ~all softfails them, ?all asserts nothing
  • +all and records without an all terminator are misconfigurations that invite spoofing
  • Most large receivers score SPF fail rather than rejecting outright, because forwarding breaks SPF legitimately
  • Under DMARC, only an aligned pass matters; the enforcement decision moves to the DMARC policy
  • Progression: ~all while inventorying senders, -all (or ~all plus DMARC enforcement) once reports confirm completeness, -all immediately on non-sending domains