SPF works on two core components: soft fail and hard fail. Domain owners should understand the conditions under which each of these mechanisms works perfectly. A mindless implementation of mechanisms leads to poor email deliverability and sender reputation, impacting communication and brand integrity. While the soft fail mechanism is lenient, it leaves a security gap. However, hard fail is too strict and can cause some of your legitimate emails to land in the spam folders.
This blog clearly mentions when to use which of the two SPF mechanisms.
1. SPF soft fail (~all)
A soft fail mechanism tells receiving mail servers to accept emails failing the SPF check but mark them as suspicious. This reduces the chances of targeted recipients interacting with fraudulent emails and getting duped.
Here are the technical use cases of SPF soft fail–
Testing and gradual deployment of SPF records
When initially deploying SPF, using ~all allows you to observe how the SPF record affects email delivery without outright rejecting unauthorized emails. For example, you can monitor email logs to spot legitimate senders that you have to add to your SPF record.
Organizations with complex and decentralized email infrastructure
Companies with multiple third-party vendors or poorly documented email systems may use ~all to prevent inadvertently rejecting legitimate emails. This is because if your email setup is complex, there will be multiple IPs and subdomains involved. Using a soft fail avoids disruption in communication by ensuring emails that didn’t pass the SPF check are tagged as spam and blocked outrightly.
To prevent overly aggressive email rejection
If you are unsure about the completeness of your SPF record, you should stick to soft fail to avoid aggressive rejections and allow gradual fine-tuning. This situation arises if your company or domain is new, you’ve recently hired many employees, or you’ve acquired multiple new devices.
For supporting compatibility with forwarding
When emails are forwarded, they often fail SPF checks because the sender’s IP (forwarding server) doesn’t match the SPF record. The SPF check compares the originating IP address with the domain’s SPF record. Forwarding servers are typically not listed in the original sender’s SPF record, causing the email to fail the check.
So, if you stick to the soft fail mechanism in such scenarios, then legitimate emails from your domain won’t take a toll. We encourage pairing up SPF with DMARC for such conditions because when you deploy DMARC policy with a ‘relaxed’ alignment mode, delivery issues are minimized.
2. SPF hard fail (-all)
The hard fail mechanism tells receiving mail servers to reject emails that fail the SPF check outright.
Here are the technical use cases of SPF hard fail-
Strict email authentication for high-security domains
Domains that need to maintain a high level of trust (e.g., banks, government entities) often use -all to block spoofed emails completely. These institutions have to ensure that only authorized servers can send emails.
Phishing and spoofing mitigation
Domains can reduce the risk of their brand being exploited in phishing attacks by enforcing a hard fail. Since the unauthorized email is rejected, attackers are less likely to succeed in impersonating the domain.
Clear and controlled email infrastructure
Organizations with well-documented and controlled email systems can confidently implement -all. For example, a small business with a single mail server can use -all without risking disruptions.
Final thoughts
In conclusion, understanding the nuances between SPF soft fail (`~all`) and hard fail (`-all`) is essential for crafting an effective email authentication strategy. Each mechanism serves distinct purposes—soft fail is ideal for testing, gradual deployment, and accommodating complex or evolving email infrastructures, while hard fail is suited for domains with well-established systems and a critical need for stringent email security.
When combined with complementary protocols like DMARC and DKIM, SPF becomes a powerful tool to prevent email spoofing and protect your brand’s reputation. By carefully implementing and monitoring SPF policies, organizations can strike the right balance between security and email deliverability, ensuring both protection and communication efficiency.