Skip to main content
Learn › SPF

SPF No Protection (?all / +all)

Your domain's SPF record uses a neutral (?all) or pass-all (+all) policy, which provides essentially zero protection against email spoofing. This needs to be fixed immediately.

On this page

  1. What ?all and +all mean
  2. Security risks
  3. How to fix it
  4. Before and after examples
  5. How to verify your fix

What ?all and +all mean

⚠️
Critical security issue: Your SPF record currently allows anyone in the world to send email that appears to come from your domain. This is equivalent to having no SPF protection at all.

SPF records end with an "all" mechanism that defines what happens when a sending server doesn't match any of the authorized mechanisms listed in your record. The qualifier prefix on all determines the policy:

Mechanism Name What it does Protection level
+all Pass all Explicitly authorizes every server in the world to send email as your domain. Any IP address is treated as authorized. None
?all Neutral Makes no assertion about unauthorized servers. The SPF result is "neutral," which most receiving servers treat the same as having no SPF record. None
~all Soft fail Flags unauthorized servers as suspicious but still accepts the email. Weak
-all Hard fail Instructs receiving servers to reject email from unauthorized servers. Strong (recommended)

If your record uses +all, it completely defeats the purpose of having an SPF record. If it uses ?all, the effect is nearly identical — receiving servers have no reason to treat unauthorized emails any differently than authorized ones.

Security risks

Having ?all or +all in your SPF record exposes your domain to serious security threats:

🎣

Phishing attacks

Attackers can send emails that appear to come from your domain to trick recipients into revealing passwords, financial information, or other sensitive data. Without SPF enforcement, these emails pass authentication checks.

💰

Business email compromise

Criminals can impersonate executives or employees at your organization, requesting wire transfers, sensitive documents, or credential changes. These attacks cause billions of dollars in losses annually.

📩

Spam campaigns

Spammers can use your domain to send bulk unsolicited email, damaging your domain's reputation with email providers and potentially getting your legitimate emails blocked.

📈

Reputation damage

If your domain is used to send spam or phishing emails, major email providers may blacklist it. This means your legitimate emails start going to spam or being rejected entirely.

How to fix it

Fixing this requires changing your SPF record's catch-all mechanism from ?all or +all to -all. Here's how to do it safely:

1

Identify all your legitimate email senders

Make a complete list of every service that sends email from your domain. This includes your primary email provider (Google Workspace, Microsoft 365, etc.), marketing platforms (Mailchimp, SendGrid), CRM systems (Salesforce, HubSpot), helpdesk tools (Zendesk, Freshdesk), and any custom applications.

2

Build your SPF record with all senders

Create an SPF record that includes all the services you identified. Each service will have its own include: mechanism. Check each provider's documentation for the correct SPF include value.

3

Change the all mechanism to -all

Replace ?all or +all at the end of your record with -all. This single change transforms your SPF record from providing no protection to providing strong protection.

4

Update your DNS TXT record

Log into your DNS provider's control panel, find your existing SPF TXT record, and update it with the corrected version. Save the change.

5

Monitor email delivery

After making the change, monitor your email delivery for the next few days. Set up DMARC with reporting (rua) to receive aggregate reports showing SPF pass and fail rates. If a legitimate sender is being blocked, add them to your SPF record.

💡
If you're unsure about your senders: You can temporarily use ~all (soft fail) instead of -all while you verify. Soft fail will flag unauthorized emails as suspicious without rejecting them. Once you've confirmed all legitimate senders are included, switch to -all for full protection.

Before and after examples

Fixing +all (pass all)

Before (no protection):

v=spf1 include:_spf.google.com +all

After (strong protection):

v=spf1 include:_spf.google.com -all

Fixing ?all (neutral)

Before (no protection):

v=spf1 include:spf.protection.outlook.com ?all

After (strong protection):

v=spf1 include:spf.protection.outlook.com -all

Fixing +all with multiple services

Before (no protection):

v=spf1 include:_spf.google.com include:sendgrid.net +all

After (strong protection):

v=spf1 include:_spf.google.com include:sendgrid.net -all

How to verify your fix

After updating your DNS record, verify that the change has taken effect:

1

Wait for DNS propagation

DNS changes can take up to 48 hours to propagate worldwide, though most changes take effect within a few hours.

2

Check your record

Use Domain Guarddog to scan your domain and verify that the SPF record now shows -all at the end. You can also use command-line tools like dig TXT yourdomain.com or nslookup -type=TXT yourdomain.com.

3

Send a test email

Send a test email from your domain and check the email headers to confirm SPF is passing. Look for spf=pass in the Authentication-Results header.

For a comprehensive overview of SPF, including all mechanisms, qualifiers, and common mistakes, see our complete guide to SPF.

Fix your SPF and let us watch over it

Domain Guarddog monitors your SPF, DKIM, and DMARC configuration and alerts you to issues so you can act fast.

Get Started Free