← All insights · Thu, 02 Jul 2026
Among domains that publish SPF, softfail still beats hardfail. What that costs you.
76.5% of domains publish an SPF record. But SPF only bites if it ends in -all (hardfail). Here's how SPF publishers actually terminate their record:
~all — 50.4%-all — 44.5%noneall — 2.6%?all — 2.4%+all — 0%~all (softfail, 50.4%) tells receivers "this probably isn't authorized… but deliver it anyway." -all (hardfail, 44.5%) tells them to reject it. Softfail is the safe default that never gets tightened — which means most domains publish SPF that a spoofer can walk straight past. If you own the domain and every legitimate sender is listed, -all is where you want to be.
Data: MailTester Ninja Email Infrastructure Index — 50,000 domains, snapshot Thu, 02 Jul 2026 08:16:19 GMT. Reuse freely under CC BY 4.0.
~all is softfail (accept but mark) and -all is hardfail (reject unauthorized senders). ~all is more permissive; -all is stricter and better protects against spoofing once all of your legitimate senders are listed.