You're unsure whether to end your SPF record with ~all (softfail) or -all (hardfail), or you see “spf=softfail” in headers and wonder if it's hurting DMARC.
The final “all” qualifier decides what happens to senders NOT listed: -all = fail, ~all = softfail (accept but mark), ?all = neutral, +all = pass everything (never use it — it authorizes the whole internet). But for DMARC the choice barely matters: DMARC passes only when SPF produces an aligned “pass” from a matching mechanism before the all, and a softfail and a hardfail are both simply “not a pass” to DMARC. So switching -all to ~all will not fix a DMARC failure, and +all is the only genuinely dangerous setting. Source: RFC 7208 §4.6.2 · verified 2026-07-15
-all once you're confident the record lists every sender — it's the strongest SPF-only stance.+all: it lets anyone pass SPF for your domain.~all vs -all to change your DMARC result — only an aligned SPF or DKIM pass does that.DNS changes propagate within minutes to 48 hours. Mailbox providers pick up the new records on their next check — most senders see bounces stop within a day of correct configuration.
Formal enforcement targets bulk senders, but partial authentication already costs you inbox placement at every volume — and spoofing protection matters regardless of how much you send.
Hosting support can add DNS records for you, but they don't know which services send as your domain. You (or a monitoring tool reading your DMARC reports) have to provide that list — that's the actual hard part.