Defaults.Exposed

Defaults.Exposed › Reports

SPF +all: The Domains That Let the Whole Internet Send As Them (2026)

Published 2026-07-03

Figures as of 2026-06-29 · methodology v7. Aggregate census across 261 million graded domains. All figures aggregate — never an individual business’s record. See how we grade.

36,014 domains end their SPF record with +all — a published, machine-readable declaration that every server on the internet is authorised to send email as them. It is the rarest SPF misconfiguration (0.03% of publishers) and the most self-defeating: an absent record leaves receivers to their own heuristics, but +all affirmatively tells them the forger is legitimate.

What does +all mean in an SPF record?

The final all mechanism carries a qualifier — the verdict for senders not on your list. -all rejects them, ~all doubts them — and +all approves them. A receiver checking a forged message against a +all record returns a clean SPF pass. That’s the harm in one sentence: your protection vouches for the forger. And because an SPF pass can satisfy DMARC’s SPF leg, the pass can help a spoof through the very system built to stop it.

The map: where the welcome mats cluster

+all is everywhere, thinly — but the rate varies sharply by ending. Counts from the census; rate = +all records per 10,000 of that TLD’s SPF publishers:

TLD+all domainsRate per 10,000
.be1,39922.5
.nl1,9658.8
.eu6726.6
.fr1,1476.2
.net1,6403.6
.org1,3922.8
.com16,6362.4
.de7321.3

The Benelux-French cluster stands out: a .be SPF publisher is roughly 9 times more likely to carry +all than a .com one (22.5 vs 2.4 per 10,000). A pattern this concentrated rarely means thousands of independent mistakes — the most plausible explanation is a shared source: a regional hosting panel, registrar template or how-to article that shipped +all and got copied for years. The same fingerprint shows up one notch down the severity ladder: 22.6% of .za’s SPF records end in neutral ?all, a national outlier that points the same way.

How does anyone end up with +all?

Three routes, all innocent:

The one-character fix

Change +all to -all — or ~all with enforcing DMARC behind it. One character in one TXT record, free, and it takes effect as soon as DNS updates — usually within the hour. There is no faster security improvement available on a domain.

Frequently asked questions

What does +all mean in an SPF record? It authorises every server on the internet to send email as your domain — the opposite of SPF’s purpose. 36,014 domains publish it as of 2026-06-29.

Is +all worse than having no SPF record? In the one way that matters, yes: no record leaves receivers guessing, while +all can convert a forgery into a clean SPF pass — a pass that can even help it through DMARC. Some filters also treat +all itself as a spam signal, so it can hurt your legitimate mail too.

How do I check my domain for +all? Read your TXT records (dig TXT yourdomain.com) or run the free check — a permissive qualifier is flagged immediately.

Why would a template ever default to +all? Most plausibly because it generates no support tickets — every delivery “works”, including the fraudulent ones. The regional clustering in our data is consistent with template defaults rather than thousands of individual choices, though the census sees the records, not their authors.

Check your ending

Most owners with a welcome mat out have no idea it’s there. Reading your own doormat takes half a minute, and rewriting it costs one character.

Check your domain → · Fix SPF → · ~all vs -all · The misconfiguration hall of fame → · Aggregate data only. Data stored and processed in the EU.