Defaults.Exposed › Reports
The SPF Misconfiguration Report: Most SPF Records Are Set Too Weak (2026)
Published 2026-06-29
Figures as of 2026-06-29 · methodology v7. Aggregate census data across the 138,927,207 domains that publish an SPF record, from 261 million graded domains. See how we grade.
Having SPF isn’t the same as having it set correctly — and most domains that publish SPF have it set too weak to do much. Of the 139 million domains with an SPF record, 55.8% end it in ~all (softfail), the permissive setting that tells receivers “this might be a forgery, but deliver it anyway.” Only 39.3% use the strict -all. SPF is widely adopted but, more often than not, declawed.
The “all” mechanism: where SPF is won or lost
Every SPF record ends in an “all” mechanism that says what to do with mail from servers not on your list. It’s the whole point of SPF — and the most common place it’s weakened:
| Ending | Meaning | Domains with SPF |
|---|---|---|
-all (hardfail) | Reject unlisted senders — the strict, intended setting | 39.3% |
~all (softfail) | “Probably a forgery, but accept it anyway” | 55.8% |
?all (neutral) | No opinion — effectively no protection | 3.0% |
+all | Authorise the entire internet to send as you | 36,014 domains |
| other / none | redirect/include-only or no terminal all | 1.8% |
The headline is that softfail (~all) is the most common setting at 55.8% — more than hardfail. On its own, softfail provides weak protection: it asks receivers not to trust unlisted mail, but not to reject it.
The dangerous edge cases
+all— 36,014 domains. This is the worst possible SPF value: it explicitly tells the world that any server is allowed to send email as the domain. It’s almost always a copy-paste accident, and it’s strictly worse than having no SPF at all.- Too many DNS lookups — 7,958 domains. SPF allows a maximum of 10 nested DNS lookups; exceed it and the record is a “permerror” that receivers treat as broken. It’s rarer than feared (0.01% of SPF records), but when it bites, it silently voids your SPF entirely.
Is softfail actually a problem?
Not if it’s backed by DMARC. The modern best practice is ~all plus a DMARC policy of quarantine or reject — that pairing gives you strict enforcement without breaking forwarded mail. The problem is the large share of domains on ~all with no enforcing DMARC behind it — only 10.59% of all domains enforce DMARC — which leaves softfail doing almost nothing. SPF set to ~all is a means to an end; without DMARC, it’s just a suggestion.
Frequently asked questions
What’s the difference between ~all and -all in SPF?
-all (hardfail) tells receivers to reject mail from servers not on your list. ~all (softfail) tells them to accept it anyway but mark it suspicious. 55.8% of domains with SPF use ~all; 39.3% use -all.
Is ~all (softfail) safe to use?
Yes — but only when paired with an enforcing DMARC policy (quarantine or reject). On its own, softfail provides weak protection.
What does +all do?
+all authorises every server on the internet to send email as your domain — worse than no SPF. 36,014 domains have this, almost always by mistake.
What is the SPF “too many lookups” error? SPF permits at most 10 nested DNS lookups; beyond that the record fails as a “permerror” and is ignored. It affects 7,958 domains.
Check your SPF is set correctly
Publishing SPF is half the job; setting it strictly and backing it with DMARC is the other half. Check your domain privately and free.
Check your domain → · Fix SPF → · Fix DMARC → · Why emails go to spam → · Aggregate data only. Data stored and processed in the EU.