Qualifier for Default Mechanism

To get the most value from a SPF record, it should use the strictest matching.

When creating an SPF record, the last mechanism tells the email receiver what to do if none of the previous mechanisms pass successfully. SPF mechanisms are evaluated from left to right, so hopefully one of the mechanisms passes before reaching the end of the string. If it doesn't it probably isn't a valid email, so you probably want to instruct the email receiver to discard that forged email. You would do this with the -all mechanism.

During testing, you may not feel confident that all of your emails are covered by your SPF mechanisms, so you may want to instruct the email receiver to be a little less strict. You can do this with the "softfail" qualifier ~all. There are two other qualifiers, ?all which means neutral and +all which means to pass all unrecognized email. These last two qualifiers are dangerous and should not be used except for testing.