Medium SeveritySPF

Fix: SPF SoftFail (~all) Instead of HardFail (-all)

Your SPF record ends with ~all (softfail) instead of -all (hardfail). While softfail marks unauthorized senders as suspicious, it does not instruct receivers to reject the message.

Quick Fix

Change `~all` to `-all` in your SPF record once you've confirmed all legitimate senders are included.

What This Error Means

The ~all mechanism tells receiving servers that emails from IPs not listed in your SPF record should be treated as suspicious but not necessarily rejected. The -all mechanism is stricter, telling receivers that unauthorized IPs should be considered a definitive fail.

Why It Matters

With ~all, spoofed emails from your domain may still be delivered (possibly to spam). Using -all provides the strongest SPF signal, which combined with a DMARC reject policy gives you the best protection against email spoofing.

Step-by-Step Fix

Audit your current sending services

Before switching to hardfail, make sure every legitimate email service is included in your SPF record. Check transactional email, marketing platforms, CRM, helpdesk, and any third-party senders.

Example

dig +short TXT yourdomain.com | grep "v=spf1"
# Review every include and IP — are all your senders covered?

Review DMARC reports for SPF failures

If you have DMARC reporting enabled, check your aggregate reports for legitimate emails that are failing SPF. These would break if you switch to hardfail.

Change ~all to -all

Update your SPF TXT record to use hardfail.

Before

v=spf1 include:_spf.google.com include:sendgrid.net ~all

After

v=spf1 include:_spf.google.com include:sendgrid.net -all

Monitor for delivery issues

After switching, monitor your email delivery for a few days. Check DMARC reports and bounce notifications for any legitimate mail that is now failing.

Common Gotchas

Some email forwarding services break SPF alignment. If your recipients use email forwarding, -all may cause legitimate forwarded emails to fail SPF. DKIM can save these via DMARC alignment.
Switching to -all without including all legitimate senders will cause those emails to hard fail, potentially getting rejected.
If you use DMARC with p=reject, the difference between ~all and -all is less significant since DMARC policy takes precedence. But -all is still best practice.

Verify Your Fix

After making changes, use our free scanner to verify the fix is working correctly. DNS changes can take up to 48 hours to propagate, but most propagate within minutes.

Frequently Asked Questions

What is the difference between ~all and -all in SPF?

~all (softfail) marks unauthorized emails as suspicious but allows delivery. -all (hardfail) marks them as definitively unauthorized. Most modern receivers treat both similarly, but -all is the stronger signal and is recommended once you are confident in your SPF record.

Is it safe to switch from ~all to -all?

Yes, if all your legitimate email senders are properly listed in your SPF record. Before switching, audit your includes and check DMARC reports for any SPF failures from legitimate sources.

Does Google recommend ~all or -all?

Google's email authentication documentation recommends -all for the strongest protection. They suggest using ~all only during initial setup while you verify all senders are included.