SPF failure occurs when the sender IP address is not found in the SPF record. This means the email is sent to spam or discarded.
If DMARC is not implemented :-
SPF Softfail (~all) – The tilde “~” in front of “all” means that any servers not listed in SPF record should be treated as a softfail, ie. mail can be allowed through but should be tagged as spam or suspicious.
SPF Softfail example:
v=spf1 include:spf.protection.outlook.com ~all
In this case the include:spf.protection.outook.com authorizes Office 365 to send emails. Any emails originating from different servers should be marked as spam by the receivers.
SPF Hardfail (-all) – The minus “-” in front of “all” means that any senders not listed in SPF record should be treated as a hardfail. This means they are unauthorized senders and emails from them should be discarded.
SPF Hardfail example:
v=spf1 ip4:192.168.0.1 -all
In this case only the IP address 192.168.0.1 is authorized to send emails.
If DMARC is implemented :-
DMARC ignores the nuances of softfail and hardfail in your SPF configuration i.e. ~all and -all are treated equivalently as a SPF fail.