SPF (Sender Policy Framework) is an email authentication method used to detect forged sender addresses during the email delivery process. It works by allowing domain owners to specify which mail servers are authorized to send emails on behalf of their domain.
The terms "SoftFail" and "HardFail" refer to "all" mechanism within SPF record.
ALL: It always matches and must be the last mechanism listed at the end of the SPF record. Any mechanisms after this are ignored. It also shows default results like ‘-all’ for unmatching IPs.
Now, let's go with understanding the qualifiers and what each of them represents.
SPF Qualifiers
An SPF Qualifier is an optional prefix to a mechanism. Adding an SPF record to your DNS with SPF Qualifiers tells receiving mail servers how to treat an email when there’s a match with a Mechanism value.
Mechanisms are verified in the order of their occurrence in an SPF record. If a Mechanism lacks a Qualifier and there’s a match, SPF authentication passes. However, when there’s no match, the default action is neutral; the email message neither passes nor fails authentication.
The following example with a SoftFail qualifier permits the recipient mail server to accept messages sent from any location not specified in the SPF record. Some email services will mark messages that soft fail the SPF check as suspicious or spam.
v=SPF1 ip4:192.168.0.0/16 include:_SPF.google.com ~all
The following example with a HardFail will cause the recipient mail server to reject any messages sent from any location not specified in the SPF record.
v=SPF1 ip4:192.168.0.0/16 include:_SPF.google.com -all
The M3AAWG community suggests ending the SPF record with a Softfail (~all) for the sending domains and with a HardFail (-all) for parked ones. Most receivers treat ~all and -all similarly, although some are more likely to reject unauthenticated email when the latter is used.
With the introduction of DMARC and its broad usage SPF authentication result doesn't directly affect the delivery of emails. Softfail and Hardfail are treated as a fail. Instead, it provides valuable information for domain owners through DMARC aggregate reports. The reports include information about Authentication and Alignment results, allowing domain owners to monitor and analyze the effectiveness of SPF policies.
Technology-reliant business owners must pair SPF with DKIM and DMARC to increase protection against spoofing and phishing attacks using their names.