SPF Softfail vs Fail

Understand SPF ~all and -all policies and how to move a sender domain safely toward a stricter SPF posture.

SPF softfail uses ~all. It tells receivers that mail from unauthorized servers is suspicious but not necessarily forged. SPF fail uses -all. It is a stronger instruction that unauthorized senders should fail SPF.

Use ~all when you are still finding every legitimate sender. Move to -all only after your email platform, CRM, support desk, billing system, and marketing tools are all included in one clean SPF record.

The biggest SPF mistake is publishing duplicate records. A domain should have one v=spf1 TXT record that combines every approved sender.

Fix checklist