SPF uses soft-fail instead of hard-fail

SPF (Sender Policy Framework) is a DNS setting that lists which email services are allowed to send on your behalf. The soft-fail setting (~all) tells receiving mail servers to accept but flag suspicious emails, rather than reject them outright. Soft-fail is a stepping stone, not a final destination. Emails that fail your SPF check can still be delivered to inboxes, which means phishing attempts using your domain may still reach victims. Moving to hard-fail (-all) alongside a strong DMARC policy closes this gap. Once you are confident all your legitimate email-sending services are listed in your SPF record, ask your IT provider to change the ending from ~all to -all. Pair this with a DMARC policy set to "reject" for the strongest protection.