SPF default setting that lets spoofers in

How a single character makes email spoofing possible

Have you ever checked your domain’s email settings and found something like this?

v=spf1 include:_spf.google.com ~all

That little tilde before the “all” — ~all — might look harmless, but it’s one of those quiet compromises that explains a lot about why the internet is the way it is: messy, backwards compatible, and slightly too polite. Let’s talk about how we ended up here.

Back when email was the Wild West

Email was invented in the 1970s, when the internet was a friendly neighbourhood of academics who trusted each other. There were no passwords, no spam filters, and absolutely no authentication. If you said you were “professor@cambridge.edu”, everyone believed you - because why wouldn’t they? Fast forward a few decades, and that naïve trust turned into a spammer’s paradise. To fix that, people came up with SPF (Sender Policy Framework) - a way to tell the world which servers are allowed to send emails for your domain. Problem solved! …except not really.

The problem with being strict

When SPF was introduced, the internet had already gone through thirty years of improvisation. Mail forwarding, mailing lists, relays, random servers passing messages around - you name it. If SPF had said “reject everything that doesn’t match the list” (the -all option), suddenly millions of legitimate emails would have started bouncing back. Forwarded messages? Broken. Mailing lists? Broken. Your friend’s company server that forwards your newsletter? Broken. So the creators of SPF had a dilemma: Do we make it secure and break the internet, or make it lenient and keep everyone happy? They chose happiness. Hence: "~all" - the soft fail.

The art of not making anyone angry

~all basically means: “If this email isn’t on my approved list… I don’t like it, but fine, let it in - just look suspicious about it.” And that’s been the internet’s unofficial motto ever since. Domain providers loved it, because it meant fewer support tickets from angry customers asking why their emails vanished. Email hosts loved it, because it kept forwarding working. And users? They didn’t notice a thing - except the occasional “email from yourself” that slipped into the spam folder.

The irony of it all

SPF was supposed to make spoofing harder. But with ~all, it mostly just makes it polite. Your mail server doesn’t slam the door; it raises an eyebrow and lets the spammer in “just in case.” That’s why, even today, you can still receive scam emails pretending to be from your own domain - and they technically pass through. It’s the internet equivalent of a security guard who whispers: “You don’t look like you work here, but go on, I’ll keep an eye on you.”

So why hasn’t it changed?

Because email is built on not breaking things. Every new security layer - SPF, then DKIM, then DMARC - had to be optional, compatible, and gentle enough not to scare off the millions of systems already running. It’s evolution by compromise. The result? A system that technically works, but only as long as everyone plays nice. And in 2025, we all know that’s not how the internet works.

***

The takeaway

If your domain still uses ~all, you’re in good company - most do. But if you want to tighten things up, you can safely switch to -all once you’re sure you’ve listed all your legitimate senders (and ideally added DKIM and DMARC too). Until then, every time you see that ~all, remember: it’s not a bug. It’s a historic peace treaty between security and convenience.

Latest Tips: