---
title: "3 points to consider before setting your SPF record to -all (HardFail) | AutoSPF"
description: "Email security is on everyone’s radar - companies are closing every gap for threat actors to come in and exploit their email sending sources."
image: "https://autospf.com/og/blog/3-points-to-consider-before-setting-your-spf-record-hardfail.png"
canonical: "https://autospf.com/blog/3-points-to-consider-before-setting-your-spf-record-hardfail/"
---

Quick Answer

Email security is on everyone’s radar - companies are closing every gap for threat actors to come in and exploit their email sending sources. Using SPF’s ‘-all’ mechanism is one of the strongest defense measures that domain owners and CISOs advocate to block email phishing attempts made on their behalf.

3 points to consider before setting your SPF record to -all (HardFail)

Your browser does not support the audio element.

[ Download episode](/audio/3-points-to-consider-before-setting-your-spf-record-hardfail.mp3) 

Share 

[ ](https://www.linkedin.com/sharing/share-offsite/?url=https%3A%2F%2Fautospf.com%2Fblog%2F3-points-to-consider-before-setting-your-spf-record-hardfail%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=3%20points%20to%20consider%20before%20setting%20your%20SPF%20record%20to%20-all%20%28HardFail%29&url=https%3A%2F%2Fautospf.com%2Fblog%2F3-points-to-consider-before-setting-your-spf-record-hardfail%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fautospf.com%2Fblog%2F3-points-to-consider-before-setting-your-spf-record-hardfail%2F "Share on Facebook") [ ](https://reddit.com/submit?url=https%3A%2F%2Fautospf.com%2Fblog%2F3-points-to-consider-before-setting-your-spf-record-hardfail%2F&title=3%20points%20to%20consider%20before%20setting%20your%20SPF%20record%20to%20-all%20%28HardFail%29 "Share on Reddit") [ ](mailto:?subject=3%20points%20to%20consider%20before%20setting%20your%20SPF%20record%20to%20-all%20%28HardFail%29&body=Check out this article: https%3A%2F%2Fautospf.com%2Fblog%2F3-points-to-consider-before-setting-your-spf-record-hardfail%2F "Share via Email") 

![SPF record](https://media.mailhop.org/autospf/images/2025/05/spf-record-generator-9003.jpg) 

[Email security](/blog/spf-best-practices-cisos-guide-to-email-security/) is on everyone’s radar - companies are closing every gap for [threat actors](https://cybersecuritynews.com/google-play-amazon-gift-card-using-100s-of-malicious-domains-to-steal-data/) to come in and exploit their email sending sources. Using SPF’s ‘-all’ mechanism is one of the strongest defense measures that domain owners and [CISOs](https://www.upguard.com/blog/what-is-a-ciso) advocate to block email phishing attempts made on their behalf. 

_Per [RFC 7208](https://datatracker.ietf.org/doc/html/rfc7208), SPF evaluation is capped at 10 DNS mechanism lookups and 2 void lookups per check - exceeding either limit produces a `PermError` that fails authentication for every message from the domain._

While this hard defense layer ensures that [illegitimate emails](https://www.darkreading.com/threat-intelligence/crowdstrike-job-interviews-hacker-tactic) sent from your domain don’t land in the targeted recipients’ inboxes, they can sometimes backfire! 

So, before setting your [SPF record to ‘-all’ (Hardfail)](/blog/the-right-way-to-transition-to-spf-hardfail-all/), which tells receiving [mail servers](https://whatismyipaddress.com/mail-server) to reject any email that does not come from an explicitly authorized IP, you should carefully consider the following 3 critical points:

![Impact on forwarding and legacy systems
](https://media.mailhop.org/autospf/images/2025/05/spf-validator-4027.jpg)

### 1\. Impact on forwarding and legacy systems

Setting your SPF record to ‘-all’ can do more harm than good if you frequently forward emails, especially using [legacy systems](https://www.techtarget.com/searchitoperations/definition/legacy-application) or external servers. When an email is forwarded, the receiving server sees the IP of the forwarder - not the original sender - which often causes [SPF](/blog/what-is-spf-email-a-guide-to-sender-validation-technology/) to fail unless the forwarder uses [SRS (Sender Rewriting Scheme)](https://www.xeams.com/sender-rewriting-schema-srs.htm).

This triggers instances of false positives if a former employee uses auto-forwarding or if you still have outdated [CRMs](https://www.ibm.com/think/topics/crm) in place. 

### 2\. Business-critical email deliverability

If you have implemented the ‘HardFail’ mechanism in haste, and without setting it to the ‘SoftFail’ first, then there are chances that business-critical communications, like client inquiries, password reset links, order confirmations, CRM replies, and transactional updates, will get blocked. 

![SPF records
](https://media.mailhop.org/autospf/images/2025/05/spf-record-tester-7904.jpg)

Let’s say a [third-party platform](https://www.eff.org/free-speech-weak-link/platforms) sends customer notifications on your behalf, but its mail server isn’t listed in your [SPF record](/spf-record-checker/create-spf-record/), then those emails will be rejected outright. _Similarly, internal tools or overlooked marketing platforms may fail to deliver time-sensitive messages_.

This will simply translate into missed sales opportunities, frustrated clients, and [reputational damage](https://en.wikipedia.org/wiki/Reputational%5Fdamage). Hence, it’s encouraged to audit every platform that sends emails on your behalf before you jump to the strictest [SPF mechanism](/spf-validator/spf-syntax/). 

![reputational damage](https://media.mailhop.org/autospf/images/2025/05/multiple-spf-records-7734.jpg) 

### 3\. DNS lookup limit

SPF has a [DNS lookup](https://www.digicert.com/faq/dns/how-does-dns-lookup-work) limit of 10 to keep things fast, safe, and under control during email delivery. _Every time a receiving server checks your SPF record, it has to look up all the_ \_\`\_ _include\`, \`a\`, \`mx\`, and similar mechanisms - basically chasing down every possible sender you’ve authorized_. 

![DNS lookup](https://media.mailhop.org/autospf/images/2025/05/spf-flattening-7980.jpg) 

Without a limit, things could get messy fast. Attackers could abuse this by creating endless or deeply nested lookups, which can slow down servers, cause timeouts, or even trigger [Denial-of-Service (DoS) attacks](https://thehackernews.com/2025/05/europol-shuts-down-six-ddos-for-hire.html). So, the 10-lookup cap is there to keep email flowing smoothly and prevent anyone from overwhelming the system.

_If you have set your SPF record to ‘-all,’ then evaluation errors can cause an outright rejection of genuine emails_. 

## AutoSPF to the rescue!

SPF records of large companies are more likely to hit the DNS lookup limit of 10\. So, if your SPF record is also facing this issue, then simply use [our automatic SPF flattening tool](/). It works by resolving all ‘include:’ mechanisms into direct IP addresses.

[Reach out to us](/contact-us/) at AutoSPF to sort out anything related to [email authentication](/blog/role-relevance-of-dns-spf-records-for-email-authentication/) through SPF, [DKIM](/10-reasons-for-regular-spf-record-checks-in-cybersecurity/dkim-record-check/), and [DMARC](https://dmarcreport.com/what-is-dmarc/).

## Topics

[ DKIM ](/tags/dkim/)[ DMARC ](/tags/dmarc/)[ email security ](/tags/email-security/)[ SPF ](/tags/spf/)[ SPF Flattening ](/tags/spf-flattening/)[ SPF Flattening tool ](/tags/spf-flattening-tool/)[ SPF record ](/tags/spf-record/) 

![Brad Slavin](https://media.mailhop.org/autospf/images/authors/brad-slavin.jpg) 

[ Brad Slavin ](/authors/brad-slavin/) 

General Manager

Founder and General Manager of DuoCircle. Product strategy and commercial lead for AutoSPF's 2,000+ customer base.

[LinkedIn Profile →](https://www.linkedin.com/in/bradslavin) 

## Ready to get started?

Try AutoSPF free — no credit card required.

[ Book a Demo ](/book-a-demo/) 

## Related Articles

[  Intermediate 6m  Decoding SPF mechanisms and their role in maximizing email deliverability  Nov 6, 2024 ](/blog/decoding-spf-mechanisms-and-their-role-in-maximizing-email-deliverability/)[  Intermediate 6m  How often should you audit your SPF record, and what should you look for?  Jul 2, 2025 ](/blog/how-often-audit-spf-record-and-what-to-look-for/)[  Intermediate 5m  SPF misconfigurations banks must avoid to stay secure  Sep 26, 2025 ](/blog/spf-misconfigurations-banks-must-avoid-to-stay-secure/)[  Intermediate 6m  6 Best practices for maintaining an SPF record  Jun 5, 2025 ](/blog/6-best-practices-for-maintaining-an-spf-record/)

```json
{"@context":"https://schema.org","@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com","logo":{"@type":"ImageObject","url":"https://autospf.com/images/autospf-logo.png"},"description":"Automatic SPF flattening and email authentication management. Resolve SPF lookup limits, flatten SPF records, and maintain email deliverability across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138897474","https://www.linkedin.com/company/autospf","https://x.com/autospf01","https://www.g2.com/products/autospf/reviews"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://autospf.com/contact-us/"},"knowsAbout":["SPF Record Flattening","Sender Policy Framework","Email Authentication","DNS Management","DMARC","DKIM"]}
```

```json
{"@context":"https://schema.org","@type":"WebSite","name":"AutoSPF","url":"https://autospf.com","description":"Automatic SPF flattening and email authentication management. Resolve SPF lookup limits, flatten SPF records, and maintain email deliverability across all your domains.","publisher":{"@type":"Organization","name":"AutoSPF","url":"https://autospf.com","logo":{"@type":"ImageObject","url":"https://autospf.com/images/autospf-logo.png"},"description":"Automatic SPF flattening and email authentication management. Resolve SPF lookup limits, flatten SPF records, and maintain email deliverability across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}}
```

```json
{"@context":"https://schema.org","@type":"BlogPosting","headline":"3 points to consider before setting your SPF record to -all (HardFail)","description":"Email security is on everyone’s radar - companies are closing every gap for threat actors to come in and exploit their email sending sources.","url":"https://autospf.com/blog/3-points-to-consider-before-setting-your-spf-record-hardfail/","datePublished":"2025-05-22T18:49:33.000Z","dateModified":"2026-04-18T02:36:41.000Z","dateCreated":"2025-05-22T18:49:33.000Z","author":{"@type":"Person","@id":"https://autospf.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://autospf.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin is the founder and General Manager of DuoCircle, the company behind AutoSPF, DMARC Report, Phish Protection, and Mailhop. He founded DuoCircle in 2014 to solve the SPF 10-DNS-lookup problem at scale and has led the company's growth to 2,000+ customers. Brad's focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement) rather than hands-on DNS engineering.","image":"https://media.mailhop.org/autospf/images/authors/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"AutoSPF","url":"https://autospf.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com","logo":{"@type":"ImageObject","url":"https://autospf.com/images/autospf-logo.png"},"description":"Automatic SPF flattening and email authentication management. Resolve SPF lookup limits, flatten SPF records, and maintain email deliverability across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138897474","https://www.linkedin.com/company/autospf","https://x.com/autospf01","https://www.g2.com/products/autospf/reviews"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://autospf.com/contact-us/"},"knowsAbout":["SPF Record Flattening","Sender Policy Framework","Email Authentication","DNS Management","DMARC","DKIM"]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://autospf.com/blog/3-points-to-consider-before-setting-your-spf-record-hardfail/"},"articleSection":"intermediate","keywords":"DKIM, DMARC, email security, SPF, SPF Flattening, SPF Flattening tool, SPF record","wordCount":556,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/autospf/images/2025/05/spf-record-generator-9003.jpg","caption":"SPF record","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}}
```

```json
{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://autospf.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://autospf.com/blog/"},{"@type":"ListItem","position":3,"name":"Intermediate","item":"https://autospf.com/intermediate/"},{"@type":"ListItem","position":4,"name":"3 points to consider before setting your SPF record to -all (HardFail)","item":"https://autospf.com/blog/3-points-to-consider-before-setting-your-spf-record-hardfail/"}]}
```