Email DNS Check

SPF Softfail vs Fail

SPF softfail and SPF fail are both negative outcomes, but they signal different levels of confidence. Softfail usually comes from the ~all qualifier and means the sender is probably unauthorized. Fail usually comes from -all and means the sender is definitely unauthorized according to the policy. The difference matters because mailbox providers often treat hard fail more aggressively than softfail.

One-Minute Fix

Use ~all while you are still verifying all legitimate senders, then move to -all when your SPF record is complete and stable.

Softfail example
DNS TXT
v=spf1 include:_spf.google.com ~all

Softfail is often the safer rollout stage because it gives you room to verify sender coverage before enforcing a hard fail posture.

Re-check

Wrong vs correct setup

Hard fail example

Hard fail example
DNS TXT
v=spf1 include:_spf.google.com -all

This is not wrong in itself, but it becomes risky if your SPF record does not yet include every legitimate sender.

Safer rollout example

Safer rollout example
DNS TXT
v=spf1 include:_spf.google.com ~all

Softfail is often the better starting point while you audit mail flow and verify every valid sending source.

Why this matters

The choice between ~all and -all is not just technical. It reflects how confident you are in your sender inventory. Moving to -all too early can break legitimate mail, while staying at ~all too long can weaken anti-spoofing protection.

Impact on deliverability

  • A hard fail policy can block legitimate mail if SPF is incomplete.
  • A softfail policy is safer during rollout but offers weaker enforcement.
  • The wrong qualifier creates either delivery risk or weaker spoofing protection.
  • Mailbox providers look for consistent, deliberate authentication behavior.

How mailbox providers interpret this

Providers do not reward strictness for its own sake. They reward accurate authentication. A correct -all policy can be strong and clean, but an inaccurate one can hurt real mail. That is why many domains transition from ~all to -all gradually.

Common causes

  • The domain is still in SPF rollout mode and uses ~all.
  • Administrators moved to -all before fully mapping all senders.
  • A forgotten third-party system still sends mail unexpectedly.
  • Teams misunderstand the operational difference between softfail and fail.

What we checked

We reviewed the qualifier at the end of the SPF record and whether the policy strength matches the maturity of the domain's sender inventory.

Live DNS lookup. No login. No saved domains. No tracking.

FAQ

Is -all always better than ~all?

No. It is only better when your SPF record is complete and you are confident no legitimate sender is missing.

When should I use ~all?

Use ~all while you are still validating all real senders and want a safer transition phase.

Can moving to -all hurt delivery?

Yes. If any real sender is missing from SPF, those messages can fail more aggressively.

Next steps

  • Inventory every legitimate sender before moving to -all.
  • Check live headers to verify that approved mail is already passing SPF.
  • Use ~all during transition if the sender map is still incomplete.
  • Move to -all only when the record is stable and trusted.
  • Review related SPF policy topics in the SPF Hub.
  • Review the full troubleshooting guidance in the SPF Hub.
  • Check signing and selector issues in the DKIM Hub.
  • Review alignment and policy issues in the DMARC Hub.

Related fixes

Explore more issues