Fix SPF Softfail (~all) in Microsoft 365
Your SPF record ends in ~all. That sounds harmless. It isn't. Here's what it means, why it's silently hurting your deliverability, and how to harden it.
5 min read · Email Authentication
What SPF Softfail Means
~all (tilde-all) tells receiving mail servers: "If an email comes from a server not listed in this SPF record, treat it with suspicion — but deliver it anyway." It's the difference between a bouncer who stops unauthorized guests and one who just gives them a disapproving look.
Why ~all Exists (And Why It's Overused)
SPF softfail was introduced as a transitional setting. The idea was that organizations could publish an SPF record that monitors unauthorized senders without the risk of accidentally blocking their own legitimate email. Engineers used ~all while they were auditing which servers actually sent email on their behalf.
The problem is that most businesses set it and forget it. Years later, the softfail is still in place — not because they're still auditing, but because nobody updated it. Meanwhile, the setting has a real cost.
The Deliverability Cost
When a spoofed or suspicious email arrives at Gmail, Outlook, or any major mail provider, those providers evaluate your SPF record. If they see ~all, they know you've told them not to reject the message — so they apply their own judgment. That judgment often results in your legitimate email being weighted more negatively, particularly when combined with a weak or missing DMARC policy.
The practical outcome: proposals, invoices, and client updates have a statistically higher chance of landing in spam when your SPF is in softfail mode, because it signals to receivers that your domain authentication posture is immature.
The Fix: Harden to -all
-all (hard fail) tells receiving servers: "Any email not from an explicitly listed server should be rejected outright." This is the correct production setting for any organization that has finished its SPF audit.
Before (Softfail):
v=spf1 include:spf.protection.outlook.com ~allAfter (Hard Fail):
v=spf1 include:spf.protection.outlook.com -allBefore You Switch to -all
Hardening SPF requires that you have accounted for every server that sends email as your domain. This includes:
- Microsoft 365 (Exchange Online Protection)
- Any third-party marketing platforms (Mailchimp, HubSpot, SendGrid)
- CRMs that send on your behalf (Salesforce, Zoho CRM)
- Invoicing tools (QuickBooks, FreshBooks, Xero)
- Any legacy on-premise Exchange servers
If you switch to -all with an incomplete record, your legitimate email from those unlisted platforms will start bouncing. This is the most common mistake during SPF hardening.
What Else to Check
SPF alone is not sufficient. DMARC is what tells mail providers how to enforce SPF and DKIM alignment. Without a DMARC policy set to at least p=quarantine, fixing your SPF record delivers only partial protection. Run the scan below to see your full configuration status.
Check if your domain has this issue right now
Free SPF, DMARC, and MX scan. No signup. Results in 10 seconds.
Or book a 15-min call to have us fix this for you.