---
title: "What are the fallback mechanisms in SPF? | AutoSPF"
description: "In SPF, fallback mechanisms come into play when an email fails SPF checks, but the recipient’s server or policies offer ways to handle or mitigate the failure."
image: "https://autospf.com/og/blog/what-are-the-fallback-mechanisms-in-spf.png"
canonical: "https://autospf.com/blog/what-are-the-fallback-mechanisms-in-spf/"
---

Quick Answer

In SPF, fallback mechanisms come into play when an email fails SPF checks, but the recipient’s server or policies offer ways to handle or mitigate the failure. They provide you the flexibility in handling emails that fail SPF checks while still being able to maintain security through other email authentication protocols.

Share 

[ ](https://www.linkedin.com/sharing/share-offsite/?url=https%3A%2F%2Fautospf.com%2Fblog%2Fwhat-are-the-fallback-mechanisms-in-spf%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=What%20are%20the%20fallback%20mechanisms%20in%20SPF%3F&url=https%3A%2F%2Fautospf.com%2Fblog%2Fwhat-are-the-fallback-mechanisms-in-spf%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fautospf.com%2Fblog%2Fwhat-are-the-fallback-mechanisms-in-spf%2F "Share on Facebook") [ ](https://reddit.com/submit?url=https%3A%2F%2Fautospf.com%2Fblog%2Fwhat-are-the-fallback-mechanisms-in-spf%2F&title=What%20are%20the%20fallback%20mechanisms%20in%20SPF%3F "Share on Reddit") [ ](mailto:?subject=What%20are%20the%20fallback%20mechanisms%20in%20SPF%3F&body=Check out this article: https%3A%2F%2Fautospf.com%2Fblog%2Fwhat-are-the-fallback-mechanisms-in-spf%2F "Share via Email") 

![phishing and spoofing](https://media.mailhop.org/autospf/images/2024/09/spf-record-tester-5757.jpg) 

In [SPF](/blog/what-is-spf-email-a-guide-to-sender-validation-technology/), fallback mechanisms come into play when an email fails SPF checks, but the recipient’s server or policies offer ways to handle or mitigate the failure. They provide you the flexibility in handling emails that fail SPF checks while still being able to maintain security through other [email authentication](/spf-too-many-dns-lookups/spf-lookup/) protocols. This ensures that [email security](/) is upheld, and phishing and [spoofing attempts](https://www.helpnetsecurity.com/2023/07/14/microsoft-spoofing-attempts/) made by cybercriminals are averted. Let’s understand what these fallback mechanisms include.

_Per [RFC 7208](https://datatracker.ietf.org/doc/html/rfc7208), SPF evaluation is capped at 10 DNS mechanism lookups and 2 void lookups per check - exceeding either limit produces a `PermError` that fails authentication for every message from the domain._

For a deep dive into every SPF mechanism, qualifier, and modifier, see our [complete SPF record syntax guide](/blog/spf-record-syntax-complete-guide/).

## Primary SPF fallback mechanisms

### 1\. SPF alignment with DMARC

In situations where the [SPF check](/generative-ai-and-phishing-threats/spf-records-check/) for an email fails but the [DMARC check](/10-reasons-for-regular-spf-record-checks-in-cybersecurity/dmarc-record-check/) passes, the recipient’s mailbox can choose to ignore the SPF results and accept the email. You can set the DMARC record to one of the policies:

- p=none: _To instruct recipients’ mailboxes to take no action against illegitimate emails sent from your domain_.
- p=quarantine: To instruct recipients’ mailboxes to mark [illegitimate emails](https://www.linkedin.com/pulse/illegitimate-emails-protect-yourself-indigo-it-limited) sent from your domain as spam.
- p=reject: To instruct recipients’ mailboxes not to accept illegitimate emails sent from your domain.
![spam](https://media.mailhop.org/autospf/images/2024/09/spf-record-tester-5758.jpg) 

### 2\. Soft fail (\~all)

The SPF soft fail mechanism, represented by the \~all symbol, tells recipients’ mailboxes not to outright reject illegitimate emails but to treat them with suspicion. So, there is no strict rejection involved, and the server places them in junk or [spam folders](https://www.usatoday.com/story/tech/2021/08/23/gmail-spam-filter-email-inbox-google/8242847002/). _It’s usually used during the testing phase when domain owners want to see how many emails would fail without disrupting legitimate email flows_.

### 3\. Neutral (?all)

This optional mechanism indicates that the domain owner is not asserting whether a specific [IP address](https://www.investopedia.com/terms/i/ip-address.asp) is authorized to send emails on behalf of the brand or not. This is the least restrictive SPF policy, typically used when a domain owner does not want to take a stand on whether emails coming from other sources are valid or invalid.

### 4\. SPF hardfail (-all)

This is the strictest option as it tells receiving [mail servers](https://www.techtarget.com/whatis/definition/mail-server-mail-transfer-transport-agent-MTA-mail-router-Internet-mailer) that only the IP addresses explicitly listed in the [SPF record](/spf-record-checker/create-spf-record/) are authorized to send emails on behalf of the domain, and any emails from unauthorized sources should be rejected. This policy provides the highest level of protection against [email spoofing](https://www.pcmag.com/news/nsa-warns-of-north-korean-hackers-spoofing-emails-from-legit-domains), as unauthorized emails are not allowed to pass through.

![Email spoofing protection tips](https://media.mailhop.org/autospf/images/2024/09/spf-validator.jpg) 

### 5\. Fallback to DKIM

DKIM performs authentication checks by generating a unique [digital signature](https://www.ibm.com/docs/en/b2badv-communication/1.0.0?topic=overview-digital-signature) for the email using [public-key cryptography](https://en.wikipedia.org/wiki/Public%5Fkey%5Fcryptography). This signature is added to the [email’s header](https://whatismyipaddress.com/email-header) to ensure that the contents of the email have not been modified in transit. The recipient’s server uses the public key to validate the signature. _If the signature is valid, it confirms that the message was not tampered with and came from an authorized sender_.

If an SPF check fails, but the email is signed with [DKIM](/10-reasons-for-regular-spf-record-checks-in-cybersecurity/dkim-record-check/?) and passes that validation, the recipient server might still accept the email. This fallback ensures that emails passing other authentication methods can be trusted even if SPF fails.

### 6\. Local policy overrides

Some receiving [email systems](https://cybersecuritynews.com/russian-spies-hacked-microsoft/) allow administrators to set local policies that might override SPF failures. For example, if a specific sender domain frequently fails SPF but is otherwise trusted, the administrator can safelist the domain.

## Topics

[ DKIM ](/tags/dkim/)[ DMARC ](/tags/dmarc/)[ email security ](/tags/email-security/)[ SPF ](/tags/spf/)[ SPF record ](/tags/spf-record/) 

![Brad Slavin](https://media.mailhop.org/autospf/images/authors/brad-slavin.jpg) 

[ Brad Slavin ](/authors/brad-slavin/) 

General Manager

Founder and General Manager of DuoCircle. Product strategy and commercial lead for AutoSPF's 2,000+ customer base.

[LinkedIn Profile →](https://www.linkedin.com/in/bradslavin) 

## Ready to get started?

Try AutoSPF free — no credit card required.

[ Book a Demo ](/book-a-demo/) 

## Related Articles

[  Intermediate 3m  3 points to consider before setting your SPF record to -all (HardFail)  May 22, 2025 ](/blog/3-points-to-consider-before-setting-your-spf-record-hardfail/)[  Intermediate 5m  Are Your SPF and DKIM Identifiers Aligned?  Jul 18, 2024 ](/blog/are-your-spf-and-dkim-identifiers-aligned/)[  Intermediate 6m  Automated Solutions for Preventing Email Spoofing  May 7, 2026 ](/blog/automated-solutions-for-preventing-email-spoofing/)[  Intermediate 7m  AutoSPF Explains: The Definitive Guide to Adding an SPF Record to Cloudflare  Jan 7, 2026 ](/blog/autospf-definitive-guide-adding-spf-record-cloudflare/)

```json
{"@context":"https://schema.org","@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com","logo":{"@type":"ImageObject","url":"https://autospf.com/images/autospf-logo.png"},"description":"Automatic SPF flattening and email authentication management. Resolve SPF lookup limits, flatten SPF records, and maintain email deliverability across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138897474","https://www.linkedin.com/company/autospf","https://x.com/autospf01","https://www.g2.com/products/autospf/reviews"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://autospf.com/contact-us/"},"knowsAbout":["SPF Record Flattening","Sender Policy Framework","Email Authentication","DNS Management","DMARC","DKIM"]}
```

```json
{"@context":"https://schema.org","@type":"WebSite","name":"AutoSPF","url":"https://autospf.com","description":"Automatic SPF flattening and email authentication management. Resolve SPF lookup limits, flatten SPF records, and maintain email deliverability across all your domains.","publisher":{"@type":"Organization","name":"AutoSPF","url":"https://autospf.com","logo":{"@type":"ImageObject","url":"https://autospf.com/images/autospf-logo.png"},"description":"Automatic SPF flattening and email authentication management. Resolve SPF lookup limits, flatten SPF records, and maintain email deliverability across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}}
```

```json
{"@context":"https://schema.org","@type":"BlogPosting","headline":"What are the fallback mechanisms in SPF?","description":"In SPF, fallback mechanisms come into play when an email fails SPF checks, but the recipient’s server or policies offer ways to handle or mitigate the failure.","url":"https://autospf.com/blog/what-are-the-fallback-mechanisms-in-spf/","datePublished":"2024-09-09T19:24:31.000Z","dateModified":"2026-04-18T02:36:41.000Z","dateCreated":"2024-09-09T19:24:31.000Z","author":{"@type":"Person","@id":"https://autospf.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://autospf.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin is the founder and General Manager of DuoCircle, the company behind AutoSPF, DMARC Report, Phish Protection, and Mailhop. He founded DuoCircle in 2014 to solve the SPF 10-DNS-lookup problem at scale and has led the company's growth to 2,000+ customers. Brad's focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement) rather than hands-on DNS engineering.","image":"https://media.mailhop.org/autospf/images/authors/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"AutoSPF","url":"https://autospf.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com","logo":{"@type":"ImageObject","url":"https://autospf.com/images/autospf-logo.png"},"description":"Automatic SPF flattening and email authentication management. Resolve SPF lookup limits, flatten SPF records, and maintain email deliverability across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138897474","https://www.linkedin.com/company/autospf","https://x.com/autospf01","https://www.g2.com/products/autospf/reviews"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://autospf.com/contact-us/"},"knowsAbout":["SPF Record Flattening","Sender Policy Framework","Email Authentication","DNS Management","DMARC","DKIM"]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://autospf.com/blog/what-are-the-fallback-mechanisms-in-spf/"},"articleSection":"intermediate","keywords":"DKIM, DMARC, email security, SPF, SPF record","wordCount":517,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/autospf/images/2024/09/spf-record-tester-5757.jpg","caption":"phishing and spoofing","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}}
```

```json
{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://autospf.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://autospf.com/blog/"},{"@type":"ListItem","position":3,"name":"Intermediate","item":"https://autospf.com/intermediate/"},{"@type":"ListItem","position":4,"name":"What are the fallback mechanisms in SPF?","item":"https://autospf.com/blog/what-are-the-fallback-mechanisms-in-spf/"}]}
```