SPF Record Best Practices: When to Use SOFTFAIL (~all) vs FAIL (-all) for Email Authentication


2 views

When implementing SPF (Sender Policy Framework) records, the final mechanism (all) can be modified with different qualifiers that determine how receivers should handle emails that don't match your SPF policy:

# Strict policy (FAIL)
v=spf1 a mx -all

# Lenient policy (SOFTFAIL)
v=spf1 a mx ~all

The -all qualifier (FAIL) tells receiving servers to explicitly reject emails that don't match the SPF record. This is the strictest policy and provides the strongest protection against spoofing. However, it can cause legitimate emails to be rejected if your SPF record isn't perfectly configured.

The ~all qualifier (SOFTFAIL) suggests that emails failing SPF should be treated with suspicion but not outright rejected. This is more forgiving during the transition period or when you're still refining your email infrastructure.

Here's a comparison of real-world scenarios:

# Example 1: Strict policy for established infrastructure
v=spf1 ip4:192.0.2.0/24 ip6:2001:db8::/32 -all

# Example 2: Transitional policy with third-party providers
v=spf1 include:_spf.google.com include:servers.mcsv.net ~all

# Example 3: Testing configuration (NOT RECOMMENDED for production)
v=spf1 ?all

Google and other large email providers suggest using ~all for several technical reasons:

  • Cloud-based email systems frequently change IP addresses
  • Multiple third-party senders may be involved in message delivery
  • Forwarding scenarios can break strict SPF validation

For those wanting to move from SOFTFAIL to FAIL, implement this phased approach:

# Step 1: Initial implementation with monitoring
v=spf1 a mx ~all

# Step 2: After analyzing logs (30-60 days), implement temporary rejects
v=spf1 a mx ?all

# Step 3: Final strict policy after verification
v=spf1 a mx -all

Always monitor your email logs during transitions using tools like:

# Sample log analysis command
grep "spf=fail" /var/log/mail.log | awk '{print $7}' | sort | uniq -c

When implementing Sender Policy Framework (SPF) records, administrators face a critical choice between two termination mechanisms:

# Strict enforcement (FAIL)
v=spf1 a mx -all

# Lenient enforcement (SOFTFAIL) 
v=spf1 a mx ~all

The -all qualifier enforces a hard fail policy where any email from unauthorized sources should be rejected outright. In contrast, ~all indicates a "soft fail" where messages from unauthorized sources may be accepted but marked as suspicious.

Major email providers like Google recommend ~all due to several operational factors:

  • Cloud-based email systems frequently rotate IP addresses
  • Third-party services sending on your behalf may not be immediately included
  • Migrations between providers can cause temporary mismatches

Example of a recommended SPF record for Google Workspace:

v=spf1 include:_spf.google.com ~all

Consider -all when:

  • You have complete control over all mail servers
  • You maintain a comprehensive list of all sending IPs
  • You're not using any third-party email services
  • You can immediately detect and resolve configuration issues

Regardless of your termination choice, implement these verification steps:

# SPF validation check using dig
dig +short txt example.com

# SPF testing tools
nslookup -type=txt example.com

For those using ~all, combine it with DMARC reporting to monitor unauthorized sending attempts:

# Example DMARC record
_dmarc.example.com. IN TXT "v=DMARC1; p=none; rua=mailto:reports@example.com"