PowerDMARC appears to recommend that SPF records use -all. This is not a wise default. Unless a domain is parked, SPF records should always use ~all. Using ~all aligns with M3AAWG's current best practices https://www.m3aawg.org/sites/default/files/m3aawg-email-authentication-recommended-best-practices-09-2020.pdf As further evidence that this default should be changed: it is not uncommon for some smaller receivers (small mass web hosting companies are particularly bad for this) to reject forwarded email if the sending domain uses -all in the SPF record. This problem disproportionately affects small businesses, who are our target market. I would like to prevent our technicians from having to remember to change from the default -all to ~all. It's just too easy to miss the difference between the two.