Defaults.Exposed

Defaults.Exposed › Reports

SPF ~all vs -all: Softfail or Hardfail — What 139 Million Records Chose (2026)

Published 2026-07-03

Figures as of 2026-06-29 · methodology v7. Aggregate census data across 261 million graded domains. All figures are aggregate — we never publish an individual business’s record. See how we grade.

Every SPF record ends in an “all” mechanism — the verdict on mail from anywhere not on your list — and the internet has overwhelmingly chosen the soft one: 55.8% of the 139 million domains publishing SPF end in ~all (softfail), against 39.3% ending in -all (hardfail). One character separates “reject forgeries” from “probably a forgery — deliver it anyway”. Which one is right for you depends on a second setting most owners never configure.

What do ~all and -all actually tell a receiver?

Is ~all wrong, then? Only if it’s alone — and it almost always is

Softfail has a defensible modern case: Google’s sender guidelines, and most deliverability practice with them, converge on ~all paired with an enforcing DMARC policy (p=reject). The pairing protects as well as -all at every DMARC-evaluating receiver — which now includes all the major mailbox providers — without hard-bouncing legitimate forwarded mail, the classic -all casualty. In that configuration the shrug has teeth: DMARC supplies the verdict SPF declined to give.

But the pairing is the whole point, and here is what the census adds that setup guides can’t: of the 77,484,057 softfail records on the internet, only 7.1 million — about 1 in 11 — have an enforcing DMARC policy behind them. For the other 70.4 million domains, ~all is exactly what it sounds like. Their record identifies the forgery and waves it through.

Didn’t the 2024 mandates fix this?

No — and the distinction matters more than most coverage suggests. Google and Yahoo began requiring authentication from bulk senders in February 2024, with Microsoft following in May 2025: passing, aligned SPF or DKIM, plus a DMARC record at minimum p=none. The mandates stop short of requiring enforcement — a domain with ~all, a p=none record and aligned DKIM complies fully, and remains fully spoofable. The mandates normalised the paperwork, not the protection. That unenforced middle — compliant, published, forgeable — is precisely the gap this census measures, and it is the largest population in email security.

So what should your record end in?

  1. You send mail and forwarding matters (newsletters, mailing lists, aliases): ~all with DMARC p=reject behind it — the recommended pairing above.
  2. You send mail from a tightly controlled setup: -all works and states the policy in the record itself. Map your senders first — a strict ending on an unmapped record breaks real mail, or worse.
  3. The domain never sends: -all plus p=reject, today. Nothing legitimate exists to protect, so there’s nothing to break.

Whichever ending you choose, the census’s one-line lesson holds: the qualifier only matters as much as what enforces it. Where you stand on that ladder is measurable.

Frequently asked questions

Is SPF ~all or -all better? Neither, universally. ~all with an enforcing DMARC policy is the pattern Google’s guidelines recommend — equal protection at DMARC-evaluating receivers without breaking forwarded mail. -all suits tightly controlled senders. ~all alone — the state of all but 1 in 11 softfail domains — is the weak option.

What does SPF softfail mean? ~all tells receivers that mail from unlisted servers is probably illegitimate but should still be accepted, usually with suspicion. It becomes real protection only when a DMARC policy acts on the failure; see SPF without DMARC.

Will hardfail -all break my forwarded email? It can: forwarding re-sends your mail from the forwarder’s server, which your SPF doesn’t list, and a hardfail invites rejection before DKIM or DMARC weigh in. That risk is why the ~all + p=reject pairing exists.

Do Google and Microsoft require -all now? No. The bulk-sender mandates require aligned, passing authentication and a DMARC record at minimum p=none — no enforcement, no specific qualifier. Google’s rejection of non-compliant bulk mail is live; Microsoft has been junking failures and moving towards outright rejection. Compliance is not protection.

Check what your record ends in — and what stands behind it

Two lookups tell you both, free, in 30 seconds. If you’re one of the 70.4 million unenforced shrugs, the fix is a DNS record, not a purchase.

Check your domain → · Fix SPF → · Fix DMARC → · The SPF maturity model → · The +all map → · Aggregate data only. Data stored and processed in the EU.