--- title: "What is SPF Softfail? | DuoCircle" description: "SPF softfail (~all) tells receiving mail servers that a message failing SPF should still be accepted but marked as suspicious. Softfail is a transitional policy used while you discover legitimate senders before tightening to fail (-all)." image: "https://www.duocircle.com/images/og-default.png" canonical: "https://www.duocircle.com/resources/what-is-spf-softfail/" --- DuoCircle # What is SPF Softfail? SPF softfail (\~all) tells receiving mail servers that a message failing SPF should still be accepted but marked as suspicious. Softfail is a transitional policy used while you discover legitimate senders before tightening to fail (-all). [ Talk to an Expert → ](/contact/) [ See what we make ](/products/) ## What is SPF Softfail? ## What is SPF Softfail? [Fix Your SPF Errors Now](/content/spf-permerror) ###### [EMAIL SECURITY SERVICES](/) ###### [PLANS AND PRICING](/email/outbound-smtp#pricingarea) ###### [SPF RECORDS](/email/spf-record-check) ### Preface SPF softfail is the status result of an email whose sender’s IP address is not _probably_ added to the list updated on DNS. This means that the domain administrator has not published **clear and definitive restrictions** on who all can send emails using the domain. [DMARC](/email/dmarc) results can show it as a pass or fail, based on the DMARC policy set by you. ![email security](https://media.mailhop.org/duocircle/images/2019/02/email-phishing-protection.png) ### What is SPF and How Does it Work? Before jumping onto learning what SPF softfail is, let’s quickly recall what SPF is. SPF is short for Sender Policy Framework, an email authentication protocol that allows only explicitly mentioned IP addresses or servers to send emails using a specific domain. This exercise effectively prevents [phishing](https://www.cnbc.com/2023/01/07/phishing-attacks-are-increasing-and-getting-more-sophisticated.html) and [spoofing attacks](/content/sender-policy-framework/spf-record-example) attempted in your company’s name. ![email security](https://www.duocircle.com/wp-content/uploads/2023/05/spf-softfail-1.jpg) SPF works using a **TXT SPF record** that enlists all the IP addresses and servers you identify as legitimate to send emails using your domain name. Then, the recipient’s mail server performs a DNS lookup to determine whether the sender’s IP address is part of the list or not. If yes, the authentication check passes, if not, it fails, and the email doesn’t reach their inboxes or is **marked as spam**. ### What Does SPF Failure Mean? As per the definition, an email experiences an SPF failure when its sender’s IP address isn’t part of the list updated on DNS. Such email senders are perceived as [spammers](https://economictimes.indiatimes.com/tech/technology/scammers-target-whatsapp-users-with-phishing-attempts/articleshow/100143463.cms?from=mdr) or phishers. An SPF failure leads to SPF soft fail or a hardfail. ### What is SPF Softfail? A softfail SPF means the sender’s IP address isn’t _probably_ authorized. If you have added an _\~all_ mechanism to your SPF record, you will see SPF soft fail status for all the addresses failing [email verifier](https://www.findymail.com/email-verifier/) checks. ### SPF Soft Fail Example **v=spf1 include:spf.example.outlook.com \~all** In this example, the tilde sign (\~) next to ‘_all_ ‘ represents a softfail SPF for IP addresses not mentioned in the TXT record. This instructs receiving mail servers to allow such emails, but they must be tagged as spam or suspicious. ![office 365 tenant to tenant migration](https://media.mailhop.org/duocircle/images/2021/09/azure-tenant-migration.png) ### What is SPF Hardfail? SPF hardfail is formally termed a fail in [RFC7208](https://datatracker.ietf.org/doc/html/rfc7208). If an email receives SPF hardfail as a status, it means that its sender’s email address is _explicitly_ not permitted to send emails using the domain. It instructs recipients’ servers to reject all emails failing SPF checks outrightly. You need to add an _\-all_ mechanism to your [SPF record](/content/spf-records) to ensure only emails sent by authorized entities land in recipients’ inboxes. Any fraudulent servers will trigger SPF to fail, and the email messages can be discarded altogether. ### SPF Hardfail Example **v=spf1 ip4:196.178.0.2 -all** In this example, the minus sign (-) next to ‘_all’_ represents hardfail, meaning emails from senders outside the list should be rejected. Here, only the IP address 196.178.0.2 is authorized to send emails. ![office 365 tenant to tenant migration](https://media.mailhop.org/duocircle/images/2021/11/ms-office365-migration-guide.png) ### SPF Softfail Or Hardfail? You need to understand a few concepts to understand which one is better. #### What is SPF Relaying? Relaying is an SMTP service that basically relays all incoming emails to a different domain belonging to the same company. Say, for example, emails from _company-2022.com_ may automatically be relayed to _company-2023.com_. ![](https://www.duocircle.com/wp-content/uploads/2023/05/SMTP.jpg) This may seem harmless initially, but if we dig deeper, you will understand why it is an issue for [SPF deployment](/content/spf-record-check). So, once an email is relayed, the SMTP service has an IP address that will likely not match the SPF policy. This results in SPF failure for genuine emails as well if you have set your SPF to hardfail. Moreover, relaying occurs at the receiver’s end, and there’s no way you can handle it. #### Why is SPF Hardfail an Issue? SPF hardfail occurs at the SMTP level; so, if an email bounces at the SMTP level due to a hardfail, the receiver’s server doesn’t perform further checks, due to which [DKIM](/resources/what-is-dkim) and DMARC verification drill gets ignored. So, with SPF hardfail, a genuine and DKIM-authorized email can get rejected if it was relayed. That’s why the use of SPF hardfail should be done cautiously. #### Does Softfail Keep Your Domain Less Protected? Irrespective of choosing SPF soft fail or hard fail, SPF alone cannot fully protect you against phishing, spamming, and other email-based attacks. You must combine it with DKIM and DMARC for enhanced [cybersecurity](/). But this does not mean you should overlook SPF; it’s flawed but not deprecated. Your domain also requires it for legacy or otherwise poorly configured email systems that do not support DKIM and/or DMARC. ![office 365 tenant to tenant migration](https://media.mailhop.org/duocircle/images/2021/11/ms-office365-migration-guide.png) ### How to Switch From Softfail to Hardfail? Now that you know what is [SPF softfail](https://autospf.com/blog/spf-softfail-is-a-smarter-choice-than-spf-hardfail-lets-find-out-why/), let’s see how you can switch to its harder version. Start by collating an extensive list of IP addresses authorized to send emails using your domain. Then, add the updated list to your [DNS record](https://www.techopedia.com/definition/5349/dns-record) and use the hardfail mechanism next to them, i.e., _all._ It’s recommended to provide a defense SPF record for parked domains as well to prevent SPF failure for genuine emails and [phishing attacks](/resources/how-does-a-phishing-attack-work). This should be followed by setting a DMARC policy that best meets your email authentication expectations. ### It’s a Wrap An SPF failure occurs when the sender’s IP address does not belong to the TXT record updated on the DNS. SPF failure is of two types; SPF softfail (\~all) and SPF hardfail (-all). SPF soft fail instructs receiving mail servers to allow unauthorized emails, but they must be tagged as spam or suspicious. While on the other hand, SPF hardfail commands to outrightly reject such emails. However, on setting the TXT record to SPF hardfail, sometimes genuine emails can also get rejected due to [SMTP](/email/outbound-smtp) relaying, which can be problematic. Therefore you must consider both mechanisms’ pros and cons before deciding which one you want to go for. ![office 365 tenant to tenant migration](https://media.mailhop.org/duocircle/images/2021/11/ms-office365-migration-guide.png) ## Ready to talk? Same-day response from someone technical. We tell you yes or no quickly. If yes, we get to work. [Talk to an Expert→](/contact/)[See what we make](/products/) ```json {"@context":"https://schema.org","@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}],"sameAs":["https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.facebook.com/duocirclellc","https://www.g2.com/products/phish-protection-by-duocircle/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://support.duocircle.com"},"knowsAbout":["Email Security","Email Authentication","SPF","DKIM","DMARC","Phishing Protection","Spam Filtering","SMTP Relay","Email Deliverability","Email Forwarding"]} ``` ```json {"@context":"https://schema.org","@type":"WebSite","name":"DuoCircle LLC","url":"https://www.duocircle.com","description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}} ``` ```json [{"@context":"https://schema.org","@type":"WebPage","name":"What is SPF Softfail?","description":"SPF softfail (~all) tells receiving mail servers that a message failing SPF should still be accepted but marked as suspicious. Softfail is a transitional policy used while you discover legitimate senders before tightening to fail (-all).","url":"https://www.duocircle.com/resources/what-is-spf-softfail/","speakable":{"@type":"SpeakableSpecification","cssSelector":[".page-answer",".duo-rich-text p:first-of-type"]},"dateModified":"2026-04-08T18:18:03.000Z","datePublished":"2023-05-15T14:15:29.000Z"},{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"DuoCircle","item":"https://www.duocircle.com/"},{"@type":"ListItem","position":2,"name":"What is SPF Softfail?","item":"https://www.duocircle.com/resources/what-is-spf-softfail/"}]}] ```