SPF Softfail vs Hardfail: Understanding SPF Results and When to Use Each
Learn the difference between SPF softfail (~all) and hardfail (-all), plus other SPF qualifiers like neutral and permerror, and when to use each in your SPF record.
Your SPF record's "all" mechanism determines what happens when an email comes from an IP not explicitly listed. The difference between softfail (~all) and hardfail (-all) can significantly impact both security and deliverability.
SPF Results Explained
When a receiving server checks SPF, it gets one of these results:
| Result | Symbol | Meaning | Typical Action |
|---|---|---|---|
| Pass | + | IP is explicitly authorized | Accept normally |
| Fail (Hardfail) | - | IP is explicitly NOT authorized | Reject or spam |
| Softfail | ~ | IP is probably not authorized | Accept but flag |
| Neutral | ? | No assertion made | Accept normally |
| None | No SPF record exists | No SPF-based decision | |
| Permerror | Permanent error in SPF record | Varies by server | |
| Temperror | Temporary DNS error | Usually retry later |
The "all" Mechanism
The all mechanism at the end of your SPF record is a catch-all for IPs not matched by previous mechanisms.
Hardfail: -all
v=spf1 include:_spf.google.com -all
The -all hardfail means: "Any IP not listed should be considered unauthorized. Reject these emails."
Pros:
- Strongest protection against spoofing
- Clear signal to receivers about unauthorized mail
- Recommended for domains with well-documented sending infrastructure
Cons:
- Legitimate emails from unlisted sources will fail
- Can cause problems if you miss a sending service
- Less forgiving of configuration mistakes
Softfail: ~all
v=spf1 include:_spf.google.com ~all
The ~all softfail means: "IPs not listed are probably not authorized, but don't reject—flag for review."
Pros:
- More forgiving during SPF configuration
- Doesn't immediately break legitimate emails from missed sources
- Gives you time to identify all sending sources
Cons:
- Weaker protection against spoofing
- Some spam may slip through
- Can be seen as incomplete configuration
Neutral: ?all
v=spf1 include:_spf.google.com ?all
The ?all neutral means: "I'm not making any assertion about IPs not listed."
Pros:
- Maximum flexibility
- Won't break any email
Cons:
- Provides almost no protection
- SPF might as well not exist
- Not recommended for production use
When to Use Each
Start with softfail (~all) while configuring, then move to hardfail (-all) once you've verified all legitimate sources.
Use Softfail (~all) When:
- Setting up SPF for the first time — You might not know all sending sources yet
- Adding new email services — Test before committing to hardfail
- Managing a domain with many senders — Complex environments need flexibility
- Not fully confident in your configuration — Better to flag than reject
Use Hardfail (-all) When:
- You've fully documented all sending sources — You know exactly who sends as your domain
- You want maximum spoofing protection — Security is the priority
- You've tested thoroughly with softfail — No legitimate mail is failing
- DMARC is configured with enforcement — Defense in depth
Never Use Neutral (?all)
There's almost no valid use case for ?all in production. It provides no protection and signals to receivers that you haven't properly configured SPF.
Understanding Permerror and Temperror
Permerror (Permanent Error)
A permerror occurs when the SPF record has a fatal flaw:
Common causes:
- More than 10 DNS lookups
- Syntax errors in the record
- Invalid mechanisms
- Circular includes
# Too many lookups causes permerror
v=spf1 include:a.com include:b.com include:c.com include:d.com
include:e.com include:f.com include:g.com include:h.com
include:i.com include:j.com include:k.com -all
Fix: Reduce lookups, fix syntax, or flatten your SPF record.
Temperror (Temporary Error)
A temperror occurs when DNS can't be reached temporarily:
Common causes:
- DNS server timeout
- Network connectivity issues
- DNS propagation in progress
What happens: Most receivers will retry later or treat as neutral.
SPF and DMARC Interaction
Your SPF result affects DMARC evaluation:
| SPF Result | DMARC Impact |
|---|---|
| Pass | Can contribute to DMARC pass (if aligned) |
| Hardfail | Contributes to DMARC fail |
| Softfail | Contributes to DMARC fail |
| Neutral | Contributes to DMARC fail |
| Permerror | Contributes to DMARC fail |
For DMARC purposes, both softfail and hardfail are treated as failures. The difference only matters for non-DMARC processing.
Migration Path: Softfail to Hardfail
Start with softfail
Begin with ~all to avoid breaking legitimate email.
Monitor for two weeks
Use DMARC reports to identify any legitimate senders failing SPF.
Add missing sources
Update your SPF record to include any legitimate sources you missed.
Monitor again
Verify no legitimate mail is failing after updates.
Switch to hardfail
Change ~all to -all once confident in your configuration.
Continue monitoring
Keep watching DMARC reports for issues.
Real-World Examples
E-commerce Business
v=spf1 include:_spf.google.com include:sendgrid.net include:shopify.com -all
Uses hardfail because:
- All sending sources are known (Google Workspace, SendGrid for marketing, Shopify for orders)
- Security is important for customer trust
- Configuration has been tested thoroughly
Startup in Transition
v=spf1 include:_spf.google.com include:mailchimp.com ~all
Uses softfail because:
- Still adding new tools and services
- Not yet confident all sources are documented
- Will switch to hardfail after audit
Enterprise with Complex Infrastructure
v=spf1 include:_spf.enterprise.com ~all
Uses softfail because:
- Many departments send email
- Mergers and acquisitions add complexity
- Risk of breaking legitimate email is high
Best Practices
- Never use +all — This authorizes the entire internet to send as your domain
- Avoid ?all in production — It provides no protection
- Use ~all during setup — Move to -all when ready
- Monitor with DMARC — Get visibility into SPF failures
- Document all senders — Know exactly who sends as your domain
- Test before changing — Verify configuration before switching to hardfail
Check Your SPF Configuration
Verify your SPF record is correctly configured and see which qualifier you're currently using.
The choice between softfail and hardfail isn't permanent—you can change it as your needs evolve. Start safe with softfail, build confidence through monitoring, and graduate to hardfail when you're ready for maximum protection.