Defaults.Exposed › Reports
SPF ~all vs -all: Softfail or Hardfail — What 139 Million Records Chose (2026)
Published 2026-07-03
Figures as of 2026-06-29 · methodology v7. Aggregate census data across 261 million graded domains. All figures are aggregate — we never publish an individual business’s record. See how we grade.
Every SPF record ends in an “all” mechanism — the verdict on mail from anywhere not on your list — and the internet has overwhelmingly chosen the soft one: 55.8% of the 139 million domains publishing SPF end in ~all (softfail), against 39.3% ending in -all (hardfail). One character separates “reject forgeries” from “probably a forgery — deliver it anyway”. Which one is right for you depends on a second setting most owners never configure.
What do ~all and -all actually tell a receiver?
-all(hardfail): “Reject mail from anywhere else.” A firm no.~all(softfail): “Mail from elsewhere is probably not legitimate — accept it, perhaps flag it.” A shrug.?all(neutral): “No opinion.” Chosen by 3.0% of publishers; protection in name only.+all: “Anyone may send as me.” Published by 36,014 domains, and worse than no record — the welcome-mat problem has its own report.
Is ~all wrong, then? Only if it’s alone — and it almost always is
Softfail has a defensible modern case: Google’s sender guidelines, and most deliverability practice with them, converge on ~all paired with an enforcing DMARC policy (p=reject). The pairing protects as well as -all at every DMARC-evaluating receiver — which now includes all the major mailbox providers — without hard-bouncing legitimate forwarded mail, the classic -all casualty. In that configuration the shrug has teeth: DMARC supplies the verdict SPF declined to give.
But the pairing is the whole point, and here is what the census adds that setup guides can’t: of the 77,484,057 softfail records on the internet, only 7.1 million — about 1 in 11 — have an enforcing DMARC policy behind them. For the other 70.4 million domains, ~all is exactly what it sounds like. Their record identifies the forgery and waves it through.
Didn’t the 2024 mandates fix this?
No — and the distinction matters more than most coverage suggests. Google and Yahoo began requiring authentication from bulk senders in February 2024, with Microsoft following in May 2025: passing, aligned SPF or DKIM, plus a DMARC record at minimum p=none. The mandates stop short of requiring enforcement — a domain with ~all, a p=none record and aligned DKIM complies fully, and remains fully spoofable. The mandates normalised the paperwork, not the protection. That unenforced middle — compliant, published, forgeable — is precisely the gap this census measures, and it is the largest population in email security.
So what should your record end in?
- You send mail and forwarding matters (newsletters, mailing lists, aliases):
~allwith DMARCp=rejectbehind it — the recommended pairing above. - You send mail from a tightly controlled setup:
-allworks and states the policy in the record itself. Map your senders first — a strict ending on an unmapped record breaks real mail, or worse. - The domain never sends:
-allplusp=reject, today. Nothing legitimate exists to protect, so there’s nothing to break.
Whichever ending you choose, the census’s one-line lesson holds: the qualifier only matters as much as what enforces it. Where you stand on that ladder is measurable.
Frequently asked questions
Is SPF ~all or -all better?
Neither, universally. ~all with an enforcing DMARC policy is the pattern Google’s guidelines recommend — equal protection at DMARC-evaluating receivers without breaking forwarded mail. -all suits tightly controlled senders. ~all alone — the state of all but 1 in 11 softfail domains — is the weak option.
What does SPF softfail mean?
~all tells receivers that mail from unlisted servers is probably illegitimate but should still be accepted, usually with suspicion. It becomes real protection only when a DMARC policy acts on the failure; see SPF without DMARC.
Will hardfail -all break my forwarded email?
It can: forwarding re-sends your mail from the forwarder’s server, which your SPF doesn’t list, and a hardfail invites rejection before DKIM or DMARC weigh in. That risk is why the ~all + p=reject pairing exists.
Do Google and Microsoft require -all now?
No. The bulk-sender mandates require aligned, passing authentication and a DMARC record at minimum p=none — no enforcement, no specific qualifier. Google’s rejection of non-compliant bulk mail is live; Microsoft has been junking failures and moving towards outright rejection. Compliance is not protection.
Check what your record ends in — and what stands behind it
Two lookups tell you both, free, in 30 seconds. If you’re one of the 70.4 million unenforced shrugs, the fix is a DNS record, not a purchase.
Check your domain → · Fix SPF → · Fix DMARC → · The SPF maturity model → · The +all map → · Aggregate data only. Data stored and processed in the EU.