---
title: "SPF Softfail or SPF Hardfail: What’s Right for Your Domain? | DMARC Report"
description: "SPF Softfail or SPF Hardfail: What’s Right for Your Domain?: Per RFC 7208, SPF evaluation is capped at 10 DNS mechanism lookups and 2 void lookups per check."
image: "https://dmarcreport.com/og/blog/spf-softfail-or-spf-hardfail-whats-right-for-your-domain.png"
canonical: "https://dmarcreport.com/blog/spf-softfail-or-spf-hardfail-whats-right-for-your-domain/"
---

Quick Answer

When it comes to email authentication, \[SPF\](https://dmarcreport.com/what-is-spf/) offers different result qualifiers to indicate how the receiving mail server should handle emails that are outside of the list mentioned in the SPF record of the sending domain.

Related: [Free DMARC Checker](/tools/dmarc-checker/) ·[How to Create an SPF Record](/tools/spf-record-generator/) ·[SPF Record Format](/blog/spf-format-checker-dos-and-donts-for-email-authentication/) 

Share 

[ ](https://www.linkedin.com/sharing/share-offsite/?url=undefined%2Fblog%2Fspf-softfail-or-spf-hardfail-whats-right-for-your-domain%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=SPF%20Softfail%20or%20SPF%20Hardfail%3A%20What%E2%80%99s%20Right%20for%20Your%20Domain%3F&url=undefined%2Fblog%2Fspf-softfail-or-spf-hardfail-whats-right-for-your-domain%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=undefined%2Fblog%2Fspf-softfail-or-spf-hardfail-whats-right-for-your-domain%2F "Share on Facebook") [ ](https://reddit.com/submit?url=undefined%2Fblog%2Fspf-softfail-or-spf-hardfail-whats-right-for-your-domain%2F&title=SPF%20Softfail%20or%20SPF%20Hardfail%3A%20What%E2%80%99s%20Right%20for%20Your%20Domain%3F "Share on Reddit") [ ](mailto:?subject=SPF%20Softfail%20or%20SPF%20Hardfail%3A%20What%E2%80%99s%20Right%20for%20Your%20Domain%3F&body=Check out this article: undefined%2Fblog%2Fspf-softfail-or-spf-hardfail-whats-right-for-your-domain%2F "Share via Email") 

![SPF Softfail or SPF Hardfail: What’s Right for Your Domain?](https://media.mailhop.org/dmarcreport/images/2022/04/dmarc-alignment-6379.jpg) 

Per [RFC 7208](https://datatracker.ietf.org/doc/html/rfc7208), SPF evaluation is capped at 10 DNS mechanism lookups and 2 void lookups per check - exceeding either limit produces a `PermError` that fails authentication for every message from the domain. When it comes to email authentication, [SPF](https://dmarcreport.com/what-is-spf/) offers different result qualifiers to indicate how the receiving mail server should handle emails that are outside of the list mentioned in the SPF record of the **sending domain**.

> Email authentication isn’t just about preventing spoofing - it’s about trust, says Vasile Diaconu, Operations Lead at DuoCircle. Every email your organization sends either builds trust or erodes it. SPF, DKIM, and DMARC are the foundation of that trust. Without them, receivers have no way to distinguish your legitimate email from an attacker’s.

These result qualifiers are [SoftFail and HardFail](https://support.cpanel.net/hc/en-us/articles/360051455074-What-is-the-difference-between-an-SPF-hard-fail-and-soft-fail-). There is no hard-and-fast rule as to which one’s the better choice - choosing the \*\*right SPF policy depends on your domain’s needs and priorities.

Read on to learn more about the factors you need to consider and other protocols you can combine with SPF to enhance your [email infrastructure](https://dmarcreport.com/blog/dmarc-office-365-complete-setup-guide-2026/).

## How Does SPF SoftFail Compare to HardFail?

When a domain owner uses the [SoftFail mechanism](https://glockapps.com/blog/spf-soft-fail/), they add the “\~all” qualifier to their SPF record. This means that the domain owner recommends that the recipient’s mail server mark the email as potentially suspicious but doesn’t necessarily reject it outright. In this case, the emails subjected to the SoftFail mechanism get placed in **spam folders**.

In practice, many email systems treat SoftFail as a weaker indication of failure compared to HardFail. SoftFail allows for **some flexibility**, understanding that not all \*\*legitimate email servers may be explicitly listed in the SPF record.

On the other hand, when a [domain owner](https://www.domain.com/blog/find-a-domain-name-owner/#:~:text=Once%20a%20person%20has%20legally,sell%20it%20at%20any%20time.) uses the HardFail mechanism, it adds the “-all” qualifier to its SPF record. This indicates that the domain owner wants the recipient’s mail server to reject any email that does not match the \*\*IP addresses or “.from” in the SPF record. _HardFail is a stricter policy, and it may result in a higher likelihood of legitimate emails being rejected if the SPF record is not properly configured to include all authorized mail servers, or due to instances of false positives_.

## Why Might Genuine Emails Get Rejected?

SPF is a powerful tool for preventing [email sp](https://www.techradar.com/pro/qr-codes-are-being-used-in-phishing-attacks-against-us-institutions)[oofing](https://www.techradar.com/pro/qr-codes-are-being-used-in-phishing-attacks-against-us-institutions) and phishing, but it’s important to configure it correctly to avoid unintended consequences. Here are some scenarios in which \*\*genuine emails might be rejected by recipients’ mail servers:

## Incomplete SPF Records

If the [SPF record](https://dmarcreport.com/tools/spf-record-generator/) for a domain is incomplete or does not include all the legitimate mail servers that send emails on behalf of that domain, genuine emails from those servers may be rejected.

## Dynamic IP Addresses or Third-Party Services

If a business uses [dynamic IP addresses](https://www.techtarget.com/whatis/definition/dynamic-IP-address) or relies on third-party services to send emails, and these sources are not explicitly included in the SPF record, legitimate [emails may be marked as spam](https://kinsta.com/blog/why-are-my-emails-going-to-spam/) or **get rejected**.

## Email Forwarding

SPF can cause issues with [email forwarding](https://dmarcreport.com/blog/does-forwarding-mailers-affect-dmarc-alignment-and-how-to-mitigate/). If an email is forwarded through a server that is not listed in the SPF record of the original sender’s domain, the \*\*forwarded email may fail SPF checks and be rejected or marked as spam by the recipient’s mail server.

## Changes in Infrastructure

If you are using a new email service provider or adding/removing mail servers, the SPF record \*\*must be updated accordingly. Failure to update the SPF record can lead to negative authentication results for [legitimate emails](https://www.trendmicro.com/vinfo/sg/security/definition/graymail).

## Misconfigured SPF Records

[Errors in configuring SPF records](https://netcorecloud.com/tutorials/spf-errors/), such as typos or **incorrect syntax**, can lead to SPF failures. If the SPF record is not properly set up, even legitimate emails might [fail SPF](https://dmarcreport.com/blog/what-causes-spf-record-failure-and-how-to-troubleshoot-common-issues/) checks.

![Dmarc office 365](https://media.mailhop.org/dmarcreport/images/2024/01/dmarc-office-365-44.jpg) 

## How Do You Choose the Right SPF Policy for Your Domain?

Before selecting an **SPF policy**, it’s crucial to have a comprehensive understanding of what your organization needs . Here’s a rundown on factors to consider when choosing between SPF SoftFail and HardFail:

## The Email Infrastructure

Identify \*\*all the legitimate mail servers that send emails on behalf of the domain. This includes internal servers, [third-party services](https://www.investopedia.com/terms/t/third-party.asp), and any other authorized sources. Failure to include all legitimate sources in the SPF record can result in genuine emails being rejected.

## Level of Control

The choice between [SPF SoftFail](https://glocksoft.medium.com/spf-soft-fail-everything-about-spf-failures-5b1f3e10fd6d) (\~all) and SPF HardFail (-all) depends on your desired level of control over email authentication. You should assess your [risk tolerance](https://www.proserveit.com/blog/define-risk-tolerance-level#whatisrisk) and the importance of strict **email policy enforcement**. You should prioritize a strict policy over flexibility for **non-email-sending domains**.

## Potential Impact on Legitimate Emails

SPF HardFail, while **enhancing security**, may result in [false positives](https://www.nospamproxy.de/en/what-is-a-false-positive-and-what-is-a-false-negative/) if not configured accurately. Legitimate emails could be rejected if the SPF record is not kept up to date or if there are changes in the email infrastructure. _SoftFail provides more leniency, but caution is needed to avoid marking genuine emails as potentially suspicious_.

## Overcoming SPF’s Shortcomings with DMARC

[Implementing DMARC](https://dmarcreport.com/blog/real-world-case-studies-of-brands-successfully-implementing-dmarc-dkim-and-spf/) alongside SPF and DKIM provides a more robust defense against [email-based attacks](https://www.geeksforgeeks.org/types-of-email-attacks/) and improves overall **email deliverability**. DMARC complements SPF by addressing its limitations and providing a more comprehensive and flexible framework for email authentication.

_One limitation of SPF is that it \*\*doesn’t provide a standardized way for domain owners to receive feedback on how their emails are being authenticated across different mail servers._ DMARC introduces \*\*reporting mechanisms that allow domain owners to receive feedback reports ([DMARC reports](https://dmarcreport.com/dmarc-report/)) detailing the results of SPF and DKIM authentication checks .

\*\*Email forwarding can break SPF checks because the original sender’s SPF record might not cover the forwarding server. [DMARC](https://dmarcreport.com/) provides a mechanism to handle forwarding scenarios more effectively by allowing domain owners to specify how to handle emails that fail authentication, such as forwarding them with a modified header.

With DMARC, domain owners can instruct receiving servers on how to handle emails that fail SPF and/or [DKIM](https://dmarcreport.com/what-is-dkim/) checks. This flexibility allows for a more nuanced and tailored approach to email authentication policies.

![Create dmarc record](https://media.mailhop.org/dmarcreport/images/2024/01/create-dmarc-record-9175.jpg) 

_DMARC introduces the concept of alignment, ensuring that the “From” header domain aligns with the authenticated domain using SPF and/or DKIM_. This helps prevent [domain spoofing](https://today.ucsd.edu/story/forwarding%5Fbased%5Fspoofing) and strengthens [email authentication](https://dmarcreport.com/blog/why-email-security-matters-and-how-to-get-it-right/) overall.

## Conclusion

In conclusion, the decision between SPF SoftFail and HardFail plays a pivotal role in shaping your organization’s email authentication strategy. While \*\*SoftFail allows for flexibility and caution in marking potentially [suspicious emails](https://fxdailyreport.com/trust-wallet-warns-users-about-scam-emails-targeting-secret-phrases/), HardFail enforces a stricter policy , rejecting those that don’t align precisely with the SPF record. However, regardless of the chosen SPF policy, it’s crucial to address SPF’s inherent limitations.

_DMARC emerges as a powerful ally in this regard, offering additional layers of authentication, reporting mechanisms, and the means to overcome SPF’s shortcomings_. By implementing DMARC alongside SPF, you can enhance your [email security](https://dmarcreport.com/blog/why-email-security-matters-and-how-to-get-it-right/), reduce false positives, and ensure a more comprehensive [defense against phishing](https://dmarcreport.com/blog/unlocking-the-power-of-dmarc-shielding-you-and-your-customers-from-phishing-attacks/) and email spoofing attacks.

## Topics

[ DMARC ](/tags/dmarc/)[ email security ](/tags/email-security/)[ SPF ](/tags/spf/) 

![Brad Slavin](https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg) 

[ Brad Slavin ](/authors/brad-slavin/) 

General Manager

Founder and General Manager of DuoCircle. Product strategy and commercial lead for DMARC Report's 2,000+ customer base.

[LinkedIn Profile →](https://www.linkedin.com/in/bradslavin) 

## Take control of your DMARC reports

Turn raw XML into actionable dashboards. Start free - no credit card required.

[Start Free Trial](https://app.dmarcreport.com/) [Check Your DMARC Record](/tools/dmarc-checker/) 

## Related Articles

[  Foundational 8m  10 Critical Learnings From Verizon’s 2021 DBIR - A DMARCReport Perspective  Nov 25, 2025 ](/blog/10-critical-learnings-from-verizons-2021-dbir-a-dmarcreport-perspective/)[  Foundational 12m  10 DNS Blacklist Insights That Improve Email Security And Deliverability Fast  Nov 14, 2025 ](/blog/10-dns-blacklist-insights-to-improve-email-security-and-deliverability/)[  Foundational 12m  10 Email Spoofing Detection Tools That Dramatically Improve Brand Protection  Nov 11, 2025 ](/blog/10-email-spoofing-detection-tools-that-dramatically-improve-brand-protection/)[  Foundational 12m  10 Reasons SPF Filtering Is Critical For Email Security  Nov 19, 2025 ](/blog/10-reasons-spf-filtering-is-critical-for-email-security/)

```json
{"@context":"https://schema.org","@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138898167","https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.g2.com/products/dmarc-report/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc","https://www.trustradius.com/products/duocircle/reviews"],"aggregateRating":{"@type":"AggregateRating","ratingValue":"4.8","reviewCount":"470","bestRating":"5","worstRating":"1","url":"https://www.g2.com/products/dmarc-report/reviews"},"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://dmarcreport.com/support/"},"knowsAbout":["DMARC","DMARC Reporting","DMARC Aggregate Reports","DMARC Forensic Reports","Sender Policy Framework","DKIM","Email Authentication","Email Security","DNS Management","Email Deliverability"]}
```

```json
{"@context":"https://schema.org","@type":"WebSite","name":"DMARC Report","url":"https://dmarcreport.com","description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","publisher":{"@type":"Organization","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}}
```

```json
[{"@context":"https://schema.org","@type":"BlogPosting","headline":"SPF Softfail or SPF Hardfail: What’s Right for Your Domain?","description":"SPF Softfail or SPF Hardfail: What’s Right for Your Domain?: Per RFC 7208, SPF evaluation is capped at 10 DNS mechanism lookups and 2 void lookups per check.","url":"https://dmarcreport.com/blog/spf-softfail-or-spf-hardfail-whats-right-for-your-domain/","datePublished":"2024-01-23T12:12:59.000Z","dateModified":"2026-04-16T15:53:43.000Z","dateCreated":"2024-01-23T12:12:59.000Z","author":{"@type":"Person","@id":"https://dmarcreport.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://dmarcreport.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin is the founder and General Manager of DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. He founded DuoCircle in 2014 and has led the company's growth to 2,000+ customers across its email security product family. Brad's focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DMARC Report","url":"https://dmarcreport.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138898167","https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.g2.com/products/dmarc-report/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc","https://www.trustradius.com/products/duocircle/reviews"],"aggregateRating":{"@type":"AggregateRating","ratingValue":"4.8","reviewCount":"470","bestRating":"5","worstRating":"1","url":"https://www.g2.com/products/dmarc-report/reviews"},"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://dmarcreport.com/support/"},"knowsAbout":["DMARC","DMARC Reporting","DMARC Aggregate Reports","DMARC Forensic Reports","Sender Policy Framework","DKIM","Email Authentication","Email Security","DNS Management","Email Deliverability"]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://dmarcreport.com/blog/spf-softfail-or-spf-hardfail-whats-right-for-your-domain/"},"articleSection":"foundational","keywords":"DMARC, email security, SPF","wordCount":1137,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/dmarcreport/images/2022/04/dmarc-alignment-6379.jpg","caption":"SPF Softfail or SPF Hardfail: What’s Right for Your Domain?","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}}]
```

```json
{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://dmarcreport.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://dmarcreport.com/blog/"},{"@type":"ListItem","position":3,"name":"Foundational","item":"https://dmarcreport.com/foundational/"},{"@type":"ListItem","position":4,"name":"SPF Softfail or SPF Hardfail: What’s Right for Your Domain?","item":"https://dmarcreport.com/blog/spf-softfail-or-spf-hardfail-whats-right-for-your-domain/"}]}
```