SPF -all

What is SPF -all?

The -all mechanism in an SPF (Sender Policy Framework) record defines the strictest possible policy for unauthorized email senders. It tells receiving mail servers to reject any email that doesn’t come from an IP address or domain explicitly listed in your SPF record.

In short, -all means: “If it’s not on the list, fail it.”

Example SPF record:

This record states that only the servers authorized by Google’s SPF entry are permitted to send email for the domain. Any other server attempting to send mail using the same domain should be rejected.

How SPF -all Works

An SPF record is a DNS TXT entry that specifies which mail servers are allowed to send messages on behalf of your domain. It consists of mechanisms (like ip4, include, or a) followed by a qualifier that indicates what to do when a message matches, or doesn’t.

The -all qualifier serves as the final rule:

• The receiving mail server evaluates each mechanism in order.
• If no match is found, the -all instruction tells the server to fail SPF authentication for that message.

Other common qualifiers include:

• ~all → Softfail (accept but flag as suspicious)
• ?all → Neutral (no policy)
• +all → Allow all (not recommended)

By using -all, domain owners enforce a hard fail, signaling that only the defined sources are legitimate.

Why SPF -all Matters

Using -all significantly strengthens domain protection against spoofing and phishing attacks. Without it, unauthorized servers could send messages that appear to come from your domain, potentially tricking recipients or damaging your sender reputation.

A hard fail helps mail receivers and DMARC policies take decisive action. For example:

• If SPF fails and DMARC alignment is enforced, the message can be quarantined or rejected.
• Security systems can better trust messages that pass SPF, reducing false positives.

However, implementing -all prematurely, before verifying all legitimate sending sources, can lead to delivery failures for valid mail. It’s best practice to start with ~all (softfail) during testing, then move to -all once your SPF setup is fully validated.

SPF -all and DMARCeye

DMARCeye helps organizations safely transition to a -all policy by monitoring which servers are sending mail for their domain. Through detailed DMARC reports, DMARCeye shows whether each source passes or fails SPF checks, making it easy to identify legitimate systems before tightening enforcement.

Once you’re ready, DMARCeye’s insights ensure your SPF -all configuration supports your DMARC policy without blocking valid traffic.

Sign up for a free trial of DMARCeye today and secure your email domain.

To learn more about DMARC and DMARC-related terms, explore the DMARCeye Glossary.