SPF Hard Fail vs SPF Soft Fail

SPF (Sender Policy Framework) is an email authorization protocol that checks the sender's IP address against a list of IPs published on the domain used as the Return-Path header of the email sent. This list is known as the SPF record.

Here is an example of an SPF record published on domain X, authorizing Office 365 to send emails on its behalf:

v=spf1 include.spf.protection.outlook.com ~all

OnDMARC’s free tool, called Investigate, lets you verify your SPF set up to ensure you actually authenticate your emails correctly.

An SPF failure occurs when the sender's IP address is not found in the SPF record. This can mean the email is sent to spam or discarded altogether.

We will use two examples to explain the difference between SPF hard fail and SPF soft fail.

In the above example the minus “-” in front of “all” means that any senders not listed in this SPF record should be treated as a "hardfail", ie. they are unauthorised and emails from them should be discarded. In this case only the IP address 192.168.0.1 is authorized to send emails.

In the above example the tilde “~” in front of “all” means that any servers not listed in this SPF record should be treated as a "softfail", ie. mail can be allowed through but should be tagged as spam or suspicious. In this case the include:spf.protection.outook.com authorizes Office 365 to send emails. Any emails originating from different servers should be marked as spam by the receivers. 

However, irrespective of which failure mode you specify, receiving servers are unlikely to honour your requested behaviour. To understand why, check our SPF and DMARC article below.

OnDMARC also has a unique feature called Dynamic SPF. This allows you to replace your SPF record with a dynamic include and then update your SPF record from the OnDMARC interface!

Find out more below. 

If you would like to see our OnDMARC product in action, feel free to sign up to a 14 day trial account using the button below.