Contact Us

The Skysnag Blog


Everything that causes an SPF fail: SPF ~all and -all explained

October 11, 2023  |  3 min read

SPF is a key technique of email authentication that lowers the percentage of spammers who are successful online. As a result, there are a variety of reasons why your SPF records could fail, including soft failures, hard failures, and additional SPF failures.

Learn more about SPF, SPF errors and the difference between an SPF soft fail and an SPF hard fail by reading this article.

What is SPF?

SPF(Sender Policy Framework) is an email authentication protocol that domain admins deploy to prevent spammers from spoofing their domain. The admin specifies the IPs allowed to send an email on the domain’s behalf in an SPF record. SPF is used by recipient mail servers to check if the emails received and appearing from a domain were authorized by the domain admins.

What does an SPF failure mean?

When the sender’s IP address cannot be located in the SPF record, SPF failure occurs. This could indicate that the email gets deleted entirely or forwarded to spam.

To clarify the distinction between SPF hard fail and SPF soft fail, we shall use two scenarios.

SPF hard fail example:

v=spf1 ip4: -all

The hyphen sign “-“ in front of “all” in the example above signifies that any senders not included in this SPF record should be considered a “hardfail,” which means they are unapproved and emails from them should be deleted. Only the IP address is permitted to send emails in this situation.

SPF soft fail example:

v=spf1 ~all

The hyphen “~” in front of “all” in the example above denotes that any servers not listed in this SPF record should be handled as a “softfail,” meaning that mail from these servers can still be delivered but should be marked as spam or suspicious. In this instance, Office 365 is permitted to send emails via the directive. The recipients should designate any emails coming from different servers as spam. Therefore with that being said let’s look at the difference between the two.

What is the difference between an SPF soft fail and an SPF hard fail?

The primary distinction between the two is rather straightforward. It’s on your SPF record.

If mail is sent from a different server than the IP listed in the SPF record, the receiving server will reject it and an SPF hard fail will result.

With an SPF fail, this will be marked as spam or suspicious.

How to test my SPF record

You can check your SPF configuration with our free Investigate tool to make sure your emails are authenticated properly.

Publishing a list of servers that are permitted to send on behalf of a domain is the core concept behind SPF.

After writing out a list of servers in the form of an SPF record the proper way to end an SPF record is with the phrase “and everything else on the Internet is NOT authorized.”

The “all” method is utilized in the manner the above is stated. This device works perfectly. by using a “-” or “~” prefix.


Avoid SPF failures right away and use Skysnag’s automated software to safeguard your domain’s reputation and keep away from compromised business emails, password theft, and potentially significant financial losses. Get started with Skysnag by using this link to sign up and monitor your email flow with Skysnag.

Check your domain’s DMARC security compliance

Enforce DMARC, SPF and DKIM in days - not months

Skysnag helps busy engineers enforce DMARC, responds to any misconfigurations for SPF or DKIM which increases email deliverability, and eliminates email spoofing and identity impersonation.