My SPF record has the hardfail enabled. Why is Valimail's SPF record ending with a softfail? How will this affect our SPF response?
Every SPF record includes the “all” mechanism, which serves as a default match for anything not listed in the SPF record. The “all” mechanism is expressed with one of the following qualifiers, each of which causes the evaluation result shown:
For example, a domain that includes “+all” in its SPF record will always receive an SPF result of pass for every message, regardless of whether or not it was actually sent by or on behalf of the domain.
According to RFC 7208, the SPF specification, a “fail” result (often called a “hard fail”) means that the domain is explicitly saying that the host is not authorized to send mail using this domain, while a “softfail” is a weaker statement saying only that the host is probably not authorized. The two can be treated differently by receiving domains, especially older mail systems; a “hardfail” result sometimes means immediate rejection of the message, while a “softfail” rarely causes a bounce by itself (although it can contribute to a decision to deliver the message to a spam folder or reject it outright).
The recommendation from the Email Authentication Best Practices document is that when a receiving domain is doing the DMARC validation, a DMARC pass should override any SPF “fail” except in the specific case where a domain’s SPF record indicates that it sends no mail (“v=spf1 -all”). The recommendation means that no message should be rejected due solely to SPF hardfail, but unfortunately, not all domains follow this best practice. This means that use of the “-all” mechanism puts a domain’s legitimate mail at higher risk of rejection than does “~all”, and so Valimail recommends that all of its customers use “~all” in their SPF records in order to ensure that each valid message is given the full opportunity to receive a DMARC pass verdict.
Why Valimail Uses an SPF Soft Fail and Not a Hard Fail