← All insights · Thu, 02 Jul 2026

50.4% of SPF records use ~all (softfail) — most email says "maybe"

Among domains that publish SPF, softfail still beats hardfail. What that costs you.

76.5% of domains publish an SPF record. But SPF only bites if it ends in -all (hardfail). Here's how SPF publishers actually terminate their record:

~all (softfail, 50.4%) tells receivers "this probably isn't authorized… but deliver it anyway." -all (hardfail, 44.5%) tells them to reject it. Softfail is the safe default that never gets tightened — which means most domains publish SPF that a spoofer can walk straight past. If you own the domain and every legitimate sender is listed, -all is where you want to be.

Verify a real address → This is aggregate DNS data. To check whether a specific email address exists and is deliverable, use MailTester Ninja — real-time, nothing stored.

Data: MailTester Ninja Email Infrastructure Index — 50,000 domains, snapshot Thu, 02 Jul 2026 08:16:19 GMT. Reuse freely under CC BY 4.0.

FAQ

What is the difference between ~all and -all in SPF?

~all is softfail (accept but mark) and -all is hardfail (reject unauthorized senders). ~all is more permissive; -all is stricter and better protects against spoofing once all of your legitimate senders are listed.

Built & updated automatically by MailTester Ninja — the email verifier that stores nothing. DNS-only, aggregate data, no personal information. · Index · Email checker · Tools · Guides · Insights · JSON API · ✓ Verify an email address →