40.6% of Hutchinson Area Businesses Are Not Using SPF Hardfail

A local email security review found that 158 Hutchinson area customer domains use SPF softfail instead of hardfail, leaving room for stronger spoofing protection.

40.6% of Hutchinson Area Businesses Are Not Using SPF Hardfail

Email fraud does not usually start with a dramatic breach. Often, it starts with a message that looks like it came from a trusted local business.

In a recent review of Hutchinson area customer domains, MNrisk found that 158 businesses, or 40.6% of the dataset, are using SPF softfail (~all) instead of SPF hardfail (-all).

That detail may look small, but it matters.

What SPF Softfail Means

SPF, or Sender Policy Framework, is a DNS record that tells receiving mail systems which servers are allowed to send email for a domain.

Many businesses have an SPF record that ends with:

~all

That ~all is called a softfail. It tells mail systems, in effect: “If this message comes from a server that is not listed here, treat it as suspicious, but do not necessarily reject it.”

A stronger SPF record ends with:

-all

That -all is called a hardfail. It tells mail systems: “If this message does not come from an approved sender, it should fail SPF.”

Why This Matters For Local Businesses

Attackers do not need to compromise your inbox to abuse your name. If your domain’s email authentication is loose, criminals may have an easier time sending messages that appear to come from your business.

That can create risk for:

  • Customers receiving fake invoices or payment-change requests
  • Employees receiving spoofed messages from ownership or managers
  • Vendors receiving fraudulent order or wiring instructions
  • The business reputation attached to your domain name

SPF hardfail is not a complete email security strategy by itself, but it is one important part of reducing spoofing risk.

Do Not Switch Blindly

There is an important caution here: a business should not change from ~all to -all until legitimate senders are validated.

Many organizations send email through several systems, including Microsoft 365, Google Workspace, website contact forms, accounting platforms, CRM tools, marketing platforms, ticketing systems, and industry-specific software.

If one of those systems is missing from the SPF record, moving straight to hardfail can cause legitimate messages to fail authentication.

The right process is:

  1. Identify every service that sends email for your domain.
  2. Confirm each service is represented correctly in your SPF record.
  3. Remove old or unused senders.
  4. Check DKIM and DMARC alignment at the same time.
  5. Move from ~all to -all once the record is clean.

What The 40.6% Number Tells Us

The finding is not that these businesses are doing nothing. In fact, having SPF at all is a good starting point.

The issue is that many local domains appear to be sitting in a “partially configured” state. SPF was added at some point, but it may never have been tightened after the business confirmed who should be allowed to send email.

That is common. DNS records get created during a Microsoft 365 migration, a website launch, or an email provider change, then they are rarely revisited.

But email security is not a set-it-and-forget-it item. As businesses add new tools, retire vendors, or change IT providers, their email authentication records should be reviewed too.

A Practical Next Step

If your business uses a custom domain for email, ask your IT provider or security partner to review your SPF, DKIM, and DMARC records.

At minimum, you want to know:

  • Who is authorized to send email for your domain?
  • Are any old vendors still listed?
  • Is your SPF record still using ~all?
  • Can your domain safely move to -all?
  • Is DMARC configured to monitor or enforce suspicious mail?

For many small businesses, this is a quick review. For businesses with multiple software platforms sending email, it may take a little more discovery. Either way, it is easier to fix before a spoofed invoice or fake payment request creates confusion.

Bottom Line

In MNrisk’s customer data, 40.6% of Hutchinson area businesses reviewed are using SPF softfail instead of hardfail.

That means there is a clear opportunity for local businesses to strengthen email authentication without buying another tool or adding complexity. Validate legitimate senders first, then consider moving SPF from ~all to -all as part of a broader SPF, DKIM, and DMARC review.

Small DNS details can carry real business risk. This is one worth checking.

Need Help Reviewing Your Email Security?

Minnesota Risk & Cybersecurity Advisory helps businesses review SPF, DKIM, DMARC, DNS records, and the systems that send email on behalf of their domain.

If you are not sure whether your domain can safely move from ~all to -all, we can help identify legitimate senders, clean up old records, and build a practical path toward stronger email authentication.

Feel free to reach out if you would like help reviewing your email security posture.

Posts