Protocol 01

The SPF Hard-Fail Debate

Sender Policy Framework (SPF) is your domain's guest list. But not all lists are created equal. The difference between a "Softfail" and a "Hardfail" is the difference between a suggestion and a command.

Softfail (~all)

v=spf1 ... ~all

"Testing Mode". Tells receivers: "If an email fails SPF, accept it anyway but mark it as suspicious."

Use this ONLY when you are auditing your mail sources. Leaving this permanently exposes you to spoofing.

Hardfail (-all)

v=spf1 ... -all

"Sentinel Mode". Tells receivers: "If an email fails SPF, reject it immediately."

This is the gold standard. It prevents unauthorized IPs from sending email on your behalf.

Protocol 02

The DMARC Journey

DMARC uses SPF and DKIM to make a final decision. It's a journey from observation to enforcement.

p=none

Monitoring

No action is taken against failing emails. You just receive reports.

High Risk: Spoofers can still send email as you.

p=quarantine

Filtering

Failing emails are sent to the recipient's spam folder.

Medium Risk: Better, but spoofed emails still reach the user (in spam).

p=reject

Shielding

Failing emails are completely blocked. They never reach the inbox.

Zero Risk: Complete protection against direct domain spoofing.

Revenue Risk Alert

p=none is the #1 reason for brand impersonation. If you run an eCommerce store, attackers can send fake receipts or shipping updates from your actual domain, stealing customer data and destroying your reputation.

Implementation

Common Provider Setup

Google Workspace

v=spf1 include:_spf.google.com -all

Microsoft 365

v=spf1 include:spf.protection.outlook.com -all

WooCommerce / Shopify (Generic)

v=spf1 include:shops.shopify.com include:_spf.google.com -all
Interactive Tool

Record Playground

Visualize the difference. Toggle between Testing and Strict modes to see how your record should evolve.

Testing Mode
v=spf1 include:_spf.google.com ~all