How to fix “SPF ~all vs -all (softfail)” from SPF qualifiers

You're unsure whether to end your SPF record with ~all (softfail) or -all (hardfail), or you see “spf=softfail” in headers and wonder if it's hurting DMARC.

Check your domain first — 10 seconds, free, no signup.
See your DMARC policy, SPF lookup count and every issue explained in plain English.
Run the free check →

What this means

The final “all” qualifier decides what happens to senders NOT listed: -all = fail, ~all = softfail (accept but mark), ?all = neutral, +all = pass everything (never use it — it authorizes the whole internet). But for DMARC the choice barely matters: DMARC passes only when SPF produces an aligned “pass” from a matching mechanism before the all, and a softfail and a hardfail are both simply “not a pass” to DMARC. So switching -all to ~all will not fix a DMARC failure, and +all is the only genuinely dangerous setting. Source: RFC 7208 §4.6.2 · verified 2026-07-15

How to fix it

Step 1. Use -all once you're confident the record lists every sender — it's the strongest SPF-only stance.
Step 2. Never publish +all: it lets anyone pass SPF for your domain.
Step 3. Don't expect ~all vs -all to change your DMARC result — only an aligned SPF or DKIM pass does that.
Step 4. If you get softfail on your OWN mail, a sending IP or include is missing from the record — add it, minding the 10-lookup cap.

Frequently asked

How long until fixes take effect?

DNS changes propagate within minutes to 48 hours. Mailbox providers pick up the new records on their next check — most senders see bounces stop within a day of correct configuration.

Does this apply if I send fewer than 5,000 emails a day?

Formal enforcement targets bulk senders, but partial authentication already costs you inbox placement at every volume — and spoofing protection matters regardless of how much you send.

Can I just ask my hosting provider to fix it?

Hosting support can add DNS records for you, but they don't know which services send as your domain. You (or a monitoring tool reading your DMARC reports) have to provide that list — that's the actual hard part.

Don't want to babysit DNS records?
DMARCKeeper monitors your reports, names every sender, and walks you to full p=reject protection.
Start free monitoring →