Hi nh905g
While it is generally recommended for domains to use the “-” qualifier with the “all” mechanism, the great majority of receivers will not differentiate between both. Currently, the biggest incentive in choosing “-all” is to comply with security audits performed by services such as Bitsight.
For instance, in Microsoft 365, the default disposition for hardfail is the same as softfail. You need to specifically turn it on so that a hardfail results in a spam verdict every time. Note that it is to mark the email as spam, not reject it. A reject action can be taken, but it would apply to all spam verdicts. It would be preferable to create a custom mail flow rule to reject such messages with a message.
Moreover, DMARC is built on top of DKIM and SPF, and typically DMARC check results will supersede the individual verdict of SPF and DKIM. This means even when SPF is set to hardfail, a DMARC action of “none” will likely supersede it. Some email security services will allow custom actions to override this, but not all.
Ultimately, your case is unfortunately common, and custom or manual actions is sometimes the best course of action.
