SPF Qualifiers Explained
At the end of every SPF record is a catch-all mechanism, typically ~all (softfail) or -all (hardfail). These qualifiers direct the receiving mail server on how to handle incoming emails originating from unauthorized IP addresses.
Softfail (~all) vs Hardfail (-all)
A softfail (~all) is a recommendation to accept the email but tag it as suspicious if the IP doesn't match. A hardfail (-all) is an explicit directive to reject the message entirely.
Modern Best Practices
While hardfail sounds safer, it can inadvertently break legitimate emails that pass through forwarding relays (e.g., when a recipient forwards your email to another inbox). Therefore, industry consensus recommends using a softfail (~all) paired with a strict DMARC policy (p=quarantine or p=reject), which handles forwarding issues much more gracefully.