We will use two examples to explain the difference between SPF hard fail and SPF soft fail.
SPF hard fail example:
v=spf1 ip4:192.168.0.1 -all
In the above example the minus “-” in front of “all” means that any senders not listed in this SPF record should be treated as a "hardfail", ie. they are unauthorised and emails from them should be discarded. In this case only the IP address 192.168.0.1 is authorized to send emails.
SPF soft fail example:
v=spf1 include:spf.protection.outlook.com ~all
In the above example the tilde “~” in front of “all” means that any servers not listed in this SPF record should be treated as a "softfail", ie. mail can be allowed through but should be tagged as spam or suspicious. In this case the include:spf.protection.outook.com authorizes Office 365 to send emails. Any emails originating from different servers should be marked as spam by the receivers.
However, irrespective of which failure mode you specify, receiving servers are unlikely to honour your requested behaviour. To understand why check our SPF and DMARC article below.
One click SPF configuration
OnDMARC also has a unique feature called Dynamic SPF. This allows you to replace your SPF record with a dynamic include and then update your SPF record from the OnDMARC interface! It's clicks not code. Find out more below.
You can also try OnDMARC for free for 14 days using the button below and test your configuration.