Red Sift’s email protocol configuration guide

image
Explore our guide
In this chapter
In this chapter

SPF failures: Hard fail vs Soft fail

What is an SPF failure?

An SPF failure occurs when the sender's IP address is not found in the SPF record published. Failures significantly affect the deliverability of your email as they result in the email being sent to spam or discarded altogether. This can be catastrophic for businesses that rely on email to reach customers. With major inbox providers enforcing authentication requirements in 2026, SPF failures have direct deliverability consequences.

There are two types of SPF failures - SPF softfail and SPF hardfail. A hardfail indicates that an email is not authorized, whereas a softfail means that an email has probably not been authorized. For the email recipient, it determines the treatment of the email; a hardfail tells the recipient to reject the email, whereas a softfail suggests it should be diverted to spam.

We will use two examples to demonstrate the visual difference between both.

SPF hardfail example

v=spf1 ip4:192.168.0.1 -all

In the above example, the minus symbol (in front of all at the end of the record) means that any senders not listed in this SPF record should be treated as a hardfail, ie. they are unauthorized, and emails from them should be discarded. In this case, only the IP address 192.168.0.1 is authorized to send emails and nothing else.

SPF softfail example

v=spf1 include:spf.protection.outlook.com ~all

In the above example, the tilde symbol (in front of all at the end of the record) means that any senders not listed in this SPF record should be treated as a softfail, i.e. mail can be allowed through but should be tagged as spam or suspicious. In this case, the include:spf.protection.outook.com mechanism authorized Microsoft 365 to send emails. Any emails originating from different servers should be marked as spam by the receivers. 

Not sure on your SPF setup? Use our free checker to get started.

Which SPF failure mode should you use?

Given that hardfail ("-all") signals to reject any unauthorized senders not found in the SPF record, it might seem like the mode of choice. However, the decision is more nuanced.

In a pre-DMARC era, SPF records commonly used the "-all" mechanism to strictly enforce sender policies, without the additional layer of DKIM and DMARC to help authenticate legitimate emails.

However, current industry guidance in 2026 favors "~all" to balance security and deliverability, avoiding unnecessary rejection of valid emails that might fail SPF but pass DKIM and DMARC.

The wider industry echoes that care needs to be taken with SPF modes; the DMARC specification (RFC 7489) states that:

“Some receiver architectures might implement SPF in advance of any DMARC operations. This means that a "-" prefix on a sender's SPF mechanism, such as "-all", could cause that rejection to go into effect early in handling, causing message rejection before any DMARC processing takes place. Operators choosing to use "-all" should be aware of this.”

For these reasons, we would suggest the following

  • Use "-all" for inactive, non-email sending domains: Apply "-all" only if the domain sends no emails at all. This setting strictly blocks unauthorized emails but risks rejecting legitimate ones if the SPF record isn’t up-to-date.
  • Use "~all" for active, email-sending domains: Opt for "~all" if you’re using SPF in combination with DKIM and DMARC to combat phishing and spoofing. This is because “~all” - when implemented in combination with DMARC (at p=reject) - will still reject unauthenticated mail if SPF and DKIM fail. This mode does not block legitimate mail, thus enhancing overall email deliverability.

In summary, softfail strikes a balance between strict security (which might block legitimate emails) and allowing some flexibility in email delivery, ensuring that emails can still be delivered even if there are occasional mismatches in the SPF record.

How is SPF softfail treated by cybersecurity rating companies? 

It is possible that some rating companies may penalize you should your domains be set up with SPF softfail. However, we believe that downgrading a domain's security score based on the presence of a softfail can misrepresent the actual risk profile of the domain and inadvertently penalize organizations that are following industry-recommended practices for responsible email management and security. In 2026, proper DMARC implementation at p=reject provides the enforcement layer that addresses any concerns about SPF softfail.

On the other hand, rating services like Security Scorecard acknowledge DMARC (when set up in a policy of quarantine or reject) is a “compensating” control for SPF softfail.

If you are penalized for implementing SPF softfail in a cybersecurity audit, engage with the rating company directly to explain your email authentication strategy and its alignment with industry best practices. Advocate for a more nuanced approach to evaluating security postures, one that considers the full context of your email security measures rather than penalizing specific configurations in isolation.

Why SPF isn't enough and you still need DMARC

Irrespective of which failure mode you specify in your SPF record, receiving servers are unlikely to honor your requested policy. This is why DMARC has become required by major inbox providers in 2026. This is because SPF is limited in that:

  1. It does not require alignment between the domain in the From field and the Return-Path address it checks. They don't have to match from an SPF perspective.
  2. SPF does not provide reporting functionality, meaning the receiver does not send back reports to the sender containing email authentication results.
  3. SPF does not survive auto-forwarding and indirect mail-flows, which can lead to authentication issues.

Due to these limitations, DMARC (Domain-based Message Authentication, Reporting, and Conformance) was introduced as an additional email authentication standard. DMARC addresses the shortcomings of SPF and provides the following enhancements:

  1. DMARC focuses on the visible From header, which is seen by end-users.
  2. DMARC requires alignment between the domain used by SPF and the visible From address in the email.
  3. DMARC ignores the nuances of soft fail and hard fail in SPF configuration, treating them as SPF failures.
  4. DMARC provides reporting functionality, allowing email authentication results to be sent back to the owner of the From domain. This helps identify domain misuse and troubleshoot any misconfigurations with legitimate email senders.
  5. DMARC includes a policy that instructs receivers on how to handle emails that fail authentication, and receivers enforce this policy. In contrast, SPF alone does not have enforcement mechanisms.

DMARC has gained widespread adoption as an authentication requirement as it overcomes the shortcomings of SPF and DKIM, blocks exact email impersonation, and improves email deliverability. As of 2026, DMARC is mandatory for bulk email senders across Google, Yahoo, and Microsoft, cementing its role as the email authentication standard.

email set up imageemail set up image
Email set up correctly? Find out free in under a minute

Frequently asked questions: Email protocol configuration guide

What is the difference between SPF hard fail (-all) and soft fail (~all), and which should I use in 2026?

In a pre-DMARC era, SPF records commonly used the "-all" mechanism to strictly enforce sender policies. However, current industry guidance in 2026 favours "~all" to balance security and deliverability, avoiding unnecessary rejection of valid emails that might fail SPF but pass DKIM and DMARC.

This is because "~all" when implemented in combination with DMARC (at p=reject) will still reject unauthenticated mail if SPF and DKIM fail, but does not block legitimate mail, thus enhancing overall email deliverability.

The DMARC specification (RFC 7489) states that a "-" prefix on a sender's SPF mechanism, such as "-all", could cause rejection to go into effect early in handling, causing message rejection before any DMARC processing takes place. Use "-all" for inactive, non-email sending domains only (domains that send no emails at all). DMARC ignores the nuances of soft fail and hard fail in SPF configuration, treating them as SPF failures.

How does DMARC alignment work and what is the difference between strict and relaxed alignment?

DMARC does not only require SPF or DKIM to PASS but it also requires at least one of the domains used by SPF or DKIM to align with the domain found in the From header. Proper alignment is critical for email deliverability in 2026, as major inbox providers enforce these requirements.

In the case of SPF, identifier alignment means that the MAIL FROM/Return-PATH check has to PASS and also the domain portion of the MAIL FROM/Return-PATH has to align with the domain found in the From address. In strict alignment, the domains have to match exactly, whereas in relaxed alignment subdomains are also allowed as long as they come from the same organisational domain.

For example, if MAIL-FROM/RETURN-PATH is @ondmarc.com and From header is @knowledge.ondmarc.com, in strict alignment they are not aligned. However, in relaxed alignment mode, DMARC would pass.

What are DMARC aggregate reports and forensic reports, and how do they differ?

A DMARC aggregate report contains information about the authentication status of messages sent on behalf of a domain. It is an XML feedback report designed to provide visibility into emails that passed or failed SPF and DKIM. The report provides domain owners with precise insight into which sources are sending on your behalf and the disposition of those emails (the policy that was applied by the receiver).

Recipients will look at the 'rua' tag of your DMARC record and send reports there. You can specify the aggregate reporting interval by using the ri tag in your DMARC record (by default, this is set to 86400 seconds which equates to 24 hours). Forensic reports contain more detailed information about individual authentication failures. Any personally identifiable information (PII) is removed, but information that will help in troubleshooting the DMARC failure is included, such as SPF and DKIM header failure information, the entire From address, and the Subject of the email.

The address to receive Forensic DMARC reports is specified by the 'ruf' tag in your DMARC record. Not all receiving systems support sending forensic reports. Red Sift OnDMARC is one of the only DMARC applications on the market that receives forensic reports thanks to its partnership with Yahoo.

What are SPF macros and why might they cause deliverability issues?

An SPF macro refers to a mechanism used in SPF records to define reusable sets of IP addresses. SPF macros enhance the flexibility and maintainability of SPF records by allowing you to define complex sets of IP addresses in a single mechanism, which can then be referenced within multiple SPF records. For example, instead of listing individual IP addresses for each authorised email server, you can define a macro like "%{i}" which calls the sender IP of the email. Managing SPF this way allows you to control a large list of IPs without hitting the SPF lookup limit, and also obscures which IPs you approve for public querying.

However, depending on how the SPF record with macros is structured, the lack of macro expansion could result in SPF failures or 'Neutral' results (denoted by the ?all mechanism). If SPF macros play a critical role in authorising legitimate sending servers, emails might be more likely to fail SPF checks or be marked as suspicious by email receivers that rely on SPF for authentication.

What is MTA-STS and how should it be deployed to avoid blocking email delivery?

Mail Transfer Agent Strict Transport Security (MTA-STS) is a standard that enables the encryption of messages being sent between two mail servers. It specifies to sending servers that emails can only be sent over a Transport Layer Security (TLS) encrypted connection which prevents emails from being intercepted by cybercriminals.

MTA-STS adoption has grown significantly, with organisations in 2026 recognising transport layer security as essential for protecting email in transit. For receiving domains to enable MTA-STS, they must announce that they support MTA-STS in their DNS and publish a policy configuration file on their website.

Activating MTA-STS must be done carefully to mitigate blocking emails from being delivered. MTA-STS should first be deployed in testing mode, allowing time for TLS reports to provide insight into any errors that need fixing before progressing to the final enforce stage. This phased approach will likely become standard practice in 2026 for organisations implementing transport security.

What is TLS-RPT and how does it work with MTA-STS?

SMTP TLS Reporting (or TLS-RPT for short) enables reporting of TLS connectivity problems experienced by the sending MTAs and is defined in RFC8460. Much like DMARC, TLS-RPT relies on emailed reports to notify domain owners when delivery fails due to TLS issues. These reports include detected MTA-STS policies, traffic statistics, unsuccessful connections, and failure reasons.

With Red Sift OnDMARC's MTA-STS feature, you don't need to worry about complex deployment. Simply add the MTA-STS Smart Records OnDMARC provides to your DNS and Red Sift does all the hard work such as hosting the MTA-STS policy file, maintaining the SSL certificate, and flagging any policy violation through the TLS report. Modern DMARC platforms in 2026 increasingly include hosted MTA-STS as a standard feature, simplifying transport security deployment.

What is DANE and how does it differ from MTA-STS?

Published under RFC 7671, DANE (DNS-based Authentication of Named Entities) introduces a new Internet standard for setting up TLS communication between a client and a server, without having to rely on trusted Certificate Authorities (CAs).

The traditional CA model TLS has depended on allows any CA to issue a certificate for any domain. DANE does things differently by relying on the DNSSEC infrastructure (Domain Name System Security Extensions) to bind a domain name to a certificate. DANE makes use of the already existing DNSSEC protocol to make sure the data it receives is authentic and has not been tampered with.

DANE also introduces a new DNS RR type called TLSA which helps to signal to the client that a server supports TLS. The recommendation is to implement both MTA-STS and DANE. DANE is a requirement from many governments, so public agencies in the EU are often required to implement it.

DANE and MTA-STS help only if the sender supports it, however, many senders only support one or the other so implementing both improves security overall. Organisations in 2026 often deploy MTA-STS first for broader compatibility, then add DANE for enhanced security where required.

What is the purpose of the DMARC subdomain policy (sp tag) and how should it be used?

The subdomain policy allows domain administrators to protect different domains and subdomains based on how far they are along the DMARC journey. For example, if all your email-sending services sending emails on behalf of your top-level domain are fully configured with SPF and DKIM, that means that you can protect your top-level domain with a DMARC policy of p=reject whilst keeping the subdomains in p=none, and vice versa.

Also, if you have an email-sending service that is non-DMARC compliant (does not support SPF or DKIM), you may decide to assign a subdomain to it and have that subdomain in a different DMARC policy, without preventing you from protecting your other domains. This allows you to split the traffic across different subdomains and protect each one separately.