Sender Policy Framework (SPF) records use authorization type statements to tell mailbox providers how to treat your email. There are four different authorization types that you can include before the all statement at the end of your SPF record:
- +
- ~
- -
- ?
Here are what the different authorization types mean to mailbox providers checking your SPF record:
+all
This authorization type indicates that all senders are authenticated to send email on your behalf. This type is not recommended because it invalidates the reason for having an SPF record in the first place.
~all
This authorization type is a soft fail that indicates mailbox providers will allow mail whether or not it matches the parameters in the SPF record. Since mailbox providers do not let SPF alone inform delivery or rejection of mail, even the hard fail (-all) mechanism in practical use becomes a soft fail.
-all
This authorization type is a hard fail that indicates mailbox providers will fail the authentication check if the SPF record does not match the the parameters in the record. This type does not have any practical benefits over the soft fail (~all) mechanism. Return Path actually recommends utilizing ~all as a best practice, as we have seen more mailbox provider issues with the hard fail in use.
?all
This authorization type has a neutral, or no, policy statement. It was originally intended for senders to use while testing their SPF record and to prevent any delivery issues if there were errors seen. However, this mechanism is no longer necessary or used by mailbox providers.
