SPF Softfail (~all): What It Means and When to Use -all Instead

Last updated 2026-05-29 — By The InboxGreen Team

SPF ~all (softfail) means emails from senders not listed in your SPF record should be accepted but treated with suspicion. Receivers are advised to flag them but still deliver them. This is a common and acceptable policy while you are building out your SPF record. However, -all (hardfail) is more secure and tells receivers to reject unlisted senders outright. If you are confident your SPF record lists every legitimate sending service, switching to -all improves protection.

What it means

The <code>all</code> mechanism at the end of an SPF record defines what to do with senders not matched by any other mechanism. <code>~all</code> is softfail (flag but deliver), <code>-all</code> is hardfail (reject), <code>?all</code> is neutral (no guidance). Most senders start with <code>~all</code> as it is forgiving while authentication is being set up.

Why it matters

<code>~all</code> alone is not a problem; it shows SPF is configured. But from a security standpoint, softfail gives receivers the option to override and deliver suspicious email. With DMARC enforcement active (<code>p=quarantine</code> or <code>p=reject</code>), the difference between <code>~all</code> and <code>-all</code> matters less, because DMARC will act on failures regardless. Without DMARC enforcement, <code>-all</code> provides more direct protection.

Switching from ~all to -all

v=spf1 include:_spf.google.com include:sendgrid.net -all

Only switch to -all once you are certain every legitimate sender is covered by an include or IP in your SPF record. Run the InboxGreen checker to confirm SPF passes before changing to -all. If anything is missing, hardfail will reject your own legitimate email.

How to fix it

Any DNS provider

  1. Confirm your SPF record currently passes for all your legitimate sending services.
  2. Find your SPF TXT record at your domain root.
  3. Change ~all at the end to -all.
  4. Save and wait a few minutes.
  5. Run your domain through the InboxGreen checker to confirm SPF still passes.
  6. Send a test email from each sending service to confirm delivery.

How to verify the fix

  1. Run your domain through the InboxGreen free checker.
  2. SPF should show PASS. The change from ~all to -all should not affect a passing result.
  3. Send test emails from all your legitimate sending services and confirm they arrive in the inbox.

Check your fix right now

Run your domain through InboxGreen's free checker to confirm the issue is resolved.

Check my domain

Common mistakes

  • Switching to -all before testing that all legitimate senders are in the record. This can block your own email.
  • Confusing ~all with an error. Softfail is valid and common; it is not the same as a broken SPF record.
  • Using ?all (neutral). This provides no guidance to receivers and offers no protection.

Frequently asked questions

Is SPF ~all bad? +

No. SPF softfail is a valid and common configuration, especially when you are still confirming all your sending services are included. It is not a broken record. The InboxGreen checker may show a warning for ~all as a reminder that -all is more secure, not as a hard error.

Does changing to -all affect DMARC? +

Only if SPF was the mechanism passing DMARC alignment. If DKIM alignment is passing DMARC, changing ~all to -all has no effect on DMARC results.

When should I use ~all vs -all? +

Use ~all while setting up or auditing your sending services. Switch to -all once you have confirmed every legitimate sending source is listed in your SPF record. If you have DMARC at p=reject, the practical difference between ~all and -all is small.

Related fix guides