all — SPF Mechanism

The SPF all mechanism matches every sender not covered by earlier mechanisms. The qualifier (-all, ~all, +all) determines how unmatched senders are treated.

Type
Mechanism
Syntax
[qualifier]all
DNS Lookup
No — no extra lookup
Example
-all

💬 What This Mechanism Does

The "all" mechanism always matches and is always placed at the very end of an SPF record. Its qualifier determines what happens to any sender that didn't match any earlier mechanism: "-all" rejects them (hard fail), "~all" soft-fails (marks as suspicious), "?all" is neutral (pass with no opinion), and "+all" passes everyone — effectively disabling SPF.

When to Use This

  • "-all" — strict: reject all unlisted senders (recommended for mature records)
  • "~all" — permissive: soft-fail unlisted senders (good during rollout/testing)
  • "?all" — neutral: used during initial SPF setup or troubleshooting

⚠️ Watch Out For

  • "+all" makes your SPF record useless — never use it.
  • DMARC requires at least "~all" or "-all" to be effective; "?all" weakens DMARC enforcement.
  • The "all" mechanism MUST be last; any mechanisms after it are ignored.

📚 RFC References

RFC 7208 §5.1 — The "all" Mechanism

🔧 Validate Your SPF Record

Check whether your current SPF record is valid and covers all your senders.

SPF Checker → ← All SPF Syntax