What is Sender Policy Framework (SPF)

October 11, 2023  |  4 min read
"Learn about Sender Policy Framework (SPF), an email authentication protocol that prevents email spoofing by verifying authorized senders for a domain."

What is SPF

SPF(Sender Policy Framework) is an email authentication protocol that domain admins deploy to prevent spammers from spoofing their domain. The admin specifies the IPs allowed to send an email on the domain’s behalf in an SPF record. SPF is used by recipient mail servers to check if the emails received and appearing from a domain were authorized by the domain admins.

During mail delivery, SPF allows the recipient mail server to verify that a message appearing to come from a given domain is sent from an IP address approved by the domain’s administrators. The list of the allowed IPs sent is published in the DNS record of that domain. SPF helps prevent outgoing emails from being marked as spam by receiving mail servers.

History of the Sender Policy Framework (SPF)

SPF progressed through multiple drafts after first originating in 2000. Its original title SPF (Sender Permitted From), which changed to the Sender Policy framework.

An IETF SPF working group combined SPF and Microsoft’s CallerID proposal. The “traditional” version of SPF was implemented for the next attempt. This resulted in the first experimental RFC in 2006 and, eventually, the proposed standard SPF in 2014, known as RFC 7208.

  • In this day and age, email authentication methods such as SPF have developed and led to techniques such as DKIM and DMARC. However, SPF still plays a vital role in the email authentication process and in determining whether an email is compatible with DMARC.

How SPF works

Adding an SPF record to your DNS is a requirement if you want to ensure email from your domain is sent properly. In the SPF record, you specify which IP addresses and/or hostnames are authorized to send an email on behalf of your domain.

The recipient mail server uses the “Return-Path header” in the inbound email address to verify that the sending IP address is included in the SPF record of the sending domain. If the sending IP isn’t included in the SPF record, the SPF check will fail, and the receiving mail server will mark the email as suspicious and reject it.

How to Create an SPF Record

Five Easy Steps to Building Your SPF Record include:
Step 1: Compile email-sending IP addresses. Finding out which mail servers you use to send email from your domain is the first step in implementing SPF.

Step 2: Make a list of your transmitting domains in step two.

Step 3: Create your SPF record in step 3

Step 4: Publish your SPF to DNS in step four.

Step 5: Test!

To create your SPF record, you can use our free SPF record generator tool.

Sender Policy Framework Limitations

SPF is an authentication technique that can verify the senders of emails. It’s a great way to add an extra layer of security, but there are some limitations to consider.

  • The “From” header in an email is often displayed as the actual sender, but SPF doesn’t actually validate this. Instead, SPF uses the “envelope from” to verify the sending domain.
  • When you forward an email, the SPF check will fail. This is because the ‘forwarder’ becomes the new ‘sender’ of the message, and they are not authorized to send emails on your domain’s behalf.

SPF limitations are solved with DMARC, as DMARC relies on two protocols, SPF & DKIM, and the SPF limitations are solved with DKIM.

Why do I need an SPF record?

In a world where cybercrime is consistently rising, using SPF is essential to fight email impersonation and spoofing. It is the only way receiving mail servers can verify that servers authorized by you sent the email that appears to come from your domain

Without SPF, emails sent from your domain are likely to be sent to the spam folder by receiving mail servers.

Here’s what strong SPF email policies can do.

  • Improve deliverability: Most email recipients don’t check their junk; therefore, businesses whose emails land in spam will experience complications communicating with clients and prospective leads.
  • Combat email spoofing: Not having an SPF record could warn recipients that your email could be an attempt at phishing, which would drastically damage the business’s reputation. In some cases, the system rejects the message for business email servers or sends it directly to the recipient’s junk inbox.
  • Improve domain reputation: Businesses rely on commercial or transactional emails. It is essential to note that email authentication confirms the legitimacy of your emails. Therefore, If you are a business sending commercial or transactional emails, you need to properly implement email authentication standards like SPF to improve your email deliverability.

Conclusion

Skysnag’s automated SPF software has been developed to help verify the identity of an email sender and protect your domain from phishing attacks while taking care of your email deliverability. Get started with Skysnag by signing up using this link for a free trial today and protect your domain’s reputation. 

Check your domain's DMARC security compliance

Enforce DMARC, SPF and DKIM in days - not months

Skysnag helps busy engineers enforce DMARC, responds to any misconfigurations for SPF or DKIM which increases email deliverability, and eliminates email spoofing and identity impersonation.