Last updated: July 2026
In short: The symbols (
+,-,~,?) prefixing mechanisms in an SPF record are called qualifiers. Placed before theallmechanism at the end of your record, they dictate how receiving servers treat unauthenticated emails.
An SPF (Sender Policy Framework) record evaluates mechanisms from left to right. If an incoming email does not match specific terms like ip4 or include, evaluation reaches the all mechanism at the very end of the record, which matches every IP address. The qualifier prefixing that all tells the receiving server what final evaluation result (check_host()) to return.
The four qualifiers explained
Under RFC 7208, there are four possible qualifiers and corresponding evaluation outcomes:
+pass-fail~softfail?neutral
The qualifier prefix is optional and defaults to + (meaning a mechanism written simply as a behaves as +a).
1. Hardfail (-all)
A record ending with -all:
v=spf1 -all
returns a fail result. According to RFC 7208, a fail result is an explicit statement that the client is not authorized to use the domain in the given identity. Receiving mail servers typically reject messages returning fail during the SMTP transaction before the message is accepted.
2. Softfail (~all)
A record ending with ~all:
v=spf1 ~all
returns a softfail result. According to RFC 7208, a softfail result is a weak statement by the publishing organization that the host is probably not authorized, but the domain has not published a stronger, more definitive policy (fail). Mail servers usually accept softfail messages but flag them as suspicious or route them to the spam folder. This is the recommended policy during rollout and testing.
3. Neutral (?all)
A record ending with ?all:
v=spf1 ?all
returns a neutral result. According to RFC 7208, a neutral result means the domain explicitly states that it is not asserting whether the IP address is authorized. Receiving servers treat the message exactly as if no SPF record existed for that IP address.
4. Pass (+all)
A record ending with +all:
v=spf1 +all
returns a pass result for every connecting server globally. According to RFC 7208, a pass result is an explicit statement that the client is authorized to inject mail. Appending +all to your record permits every server on the internet to send mail on your behalf, effectively destroying your SPF protection.
Zero DNS lookups for all
A key architectural detail: the all mechanism does not consume DNS lookups. Under RFC 7208, the all, ip4, and ip6 mechanisms, along with the exp modifier, do not cause DNS queries during evaluation and are exempt from the 10-lookup limit.
However, remember that a domain must not publish multiple separate SPF records. Publishing more than one record for a single domain name immediately triggers a permerror during evaluation regardless of your qualifiers.
Verifying your configuration
To check which qualifier your domain enforces and confirm that your SPF record has zero syntax errors, scan your domain with the free MXAudit scanner.
For comprehensive technical guides and provider-specific control panel walkthroughs, explore the SPF hub and practical guides like IONOS SPF setup.
Further reading
- RFC 7208 — Sender Policy Framework (SPF) (retrieved: July 16, 2026)