An SPF failure occurs when the sender's IP address is not found in the SPF record published. Failures significantly affect the deliverability of your email as they result in the email being sent to spam or discarded altogether. This can be catastrophic for businesses that rely on email to reach customers.

There are two types of SPF failures - SPF softfail and SPF hardfail. A hardfail indicates that an email is not authorized, whereas a softfail means that an email has probably not been authorized. For the email recipient, it determines the treatment of the email; a hardfail tells the recipient to reject the email, whereas a softfail suggests it should be diverted to spam.

We will use two examples to demonstrate the visual difference between both.

v=spf1 ip4:192.168.0.1 -all

In the above example, the minus symbol (in front of all at the end of the record) means that any senders not listed in this SPF record should be treated as a hardfail, ie. they are unauthorized, and emails from them should be discarded. In this case, only the IP address 192.168.0.1 is authorized to send emails and nothing else.

v=spf1 include:spf.protection.outlook.com ~all

In the above example, the tilde symbol (in front of all at the end of the record) means that any senders not listed in this SPF record should be treated as a softfail, i.e. mail can be allowed through but should be tagged as spam or suspicious. In this case, the include:spf.protection.outook.com mechanism authorized Microsoft 365 to send emails. Any emails originating from different servers should be marked as spam by the receivers. 

Given that hardfail ("-all") signals to reject any unauthorized senders not found in the SPF record, it might seem like the mode of choice. However, the decision is more nuanced.

In a pre-DMARC era, SPF records commonly used the "-all" mechanism to strictly enforce sender policies, without the additional layer of DKIM and DMARC to help authenticate legitimate emails.

However, modern guidance now favors "~all" to balance security and deliverability, avoiding unnecessary rejection of valid emails that might fail SPF but pass DKIM and DMARC.

The wider industry echoes that care needs to be taken with SPF modes; the DMARC specification (RFC 7489) states that:

“Some receiver architectures might implement SPF in advance of any DMARC operations. This means that a "-" prefix on a sender's SPF mechanism, such as "-all", could cause that rejection to go into effect early in handling, causing message rejection before any DMARC processing takes place. Operators choosing to use "-all" should be aware of this.”

For these reasons, we would suggest the following

• Use "-all" for inactive, non-email sending domains: Apply "-all" only if the domain sends no emails at all. This setting strictly blocks unauthorized emails but risks rejecting legitimate ones if the SPF record isn’t up-to-date.
• Use "~all" for active, email-sending domains: Opt for "~all" if you’re using SPF in combination with DKIM and DMARC to combat phishing and spoofing. This is because “~all” - when implemented in combination with DMARC (at p=reject) - will still reject unauthenticated mail if SPF and DKIM fail. This mode does not block legitimate mail, thus enhancing overall email deliverability.

In summary, softfail strikes a balance between strict security (which might block legitimate emails) and allowing some flexibility in email delivery, ensuring that emails can still be delivered even if there are occasional mismatches in the SPF record.

It is possible that some rating companies may penalize you should your domains be set up with SPF softfail. However, we believe that downgrading a domain's security score based on the presence of a softfail can misrepresent the actual risk profile of the domain and inadvertently penalize organizations that are following industry-recommended practices for responsible email management and security.

On the other hand, rating services like Security Scorecard acknowledge DMARC (when set up in a policy of quarantine or reject) is a “compensating” control for SPF softfail.

If you are penalized for implementing SPF softfail in a cybersecurity audit, engage with the rating company directly to explain your email authentication strategy and its alignment with industry best practices. Advocate for a more nuanced approach to evaluating security postures, one that considers the full context of your email security measures rather than penalizing specific configurations in isolation.

Irrespective of which failure mode you specify in your SPF record, receiving servers are unlikely to honor your requested policy. This is because SPF is limited in that:

1. It does not require alignment between the domain in the From field and the Return-Path address it checks. They don't have to match from an SPF perspective.
2. SPF does not provide reporting functionality, meaning the receiver does not send back reports to the sender containing email authentication results.
3. SPF does not survive auto-forwarding and indirect mail-flows, which can lead to authentication issues.

Due to these limitations, DMARC (Domain-based Message Authentication, Reporting, and Conformance) was introduced as an additional email authentication standard. DMARC addresses the shortcomings of SPF and provides the following enhancements:

1. DMARC focuses on the visible From header, which is seen by end-users.
2. DMARC requires alignment between the domain used by SPF and the visible From address in the email.
3. DMARC ignores the nuances of soft fail and hard fail in SPF configuration, treating them as SPF failures.
4. DMARC provides reporting functionality, allowing email authentication results to be sent back to the owner of the From domain. This helps identify domain misuse and troubleshoot any misconfigurations with legitimate email senders.
5. DMARC includes a policy that instructs receivers on how to handle emails that fail authentication, and receivers enforce this policy. In contrast, SPF alone does not have enforcement mechanisms.

DMARC has gained widespread adoption as an authentication requirement as it overcomes the shortcomings of SPF and DKIM, blocks exact email impersonation, and improves email deliverability.