When to tighten SPF from ~all to -all

SPF records end with a mechanism that tells receivers what to do with mail from servers not listed in your record. ~all (softfail) suggests it shouldn't pass but leaves the decision to the receiver. -all (hardfail) explicitly says to reject it.

What each setting means

• +all — allow anyone to send (dangerous, never use this)
• ?all — neutral, no opinion (provides no protection)
• ~all — softfail: not authorized, but don't hard-reject (most common default)
• -all — hardfail: explicitly unauthorized, reject

When you're ready for -all

• All legitimate senders are in your SPF record — every service that sends as your domain is listed via include: or ip4:
• DMARC is at least p=quarantine — SPF hardfail is most effective when combined with DMARC enforcement
• You've verified with DMARC reports — no legitimate mail is failing SPF
• No forwarding dependencies on SPF — forwarded mail fails SPF by design (the forwarding server's IP isn't in your SPF). If you rely on SPF for forwarded mail, -all will break it. DKIM is more reliable for forwarded mail.

Risks

• Forwarding breakage — SPF checks the connecting server's IP. Forwarding servers won't be in your SPF record. With -all, forwarded mail explicitly fails SPF (though DKIM may still pass and save DMARC alignment).
• DNS lookup limits — SPF allows a maximum of 10 DNS lookups. If your record has many include: directives, adding more senders could push you over the limit. Check your include count in Diagnostics.
• Legacy services — older email systems may not handle hardfail well

Rollout checklist

1. Review your current SPF includes in Diagnostics
2. Confirm no legitimate senders are missing from your SPF record
3. Change ~all to -all in your DNS TXT record
4. Monitor DMARC reports for 3-5 days for any new SPF failures

How to rollback

Change -all back to ~all in your DNS record. Takes effect immediately for new lookups.