What is SPF (Sender Policy Framework)

Get a basic understanding of what Sender Policy Framework is and how it affects your mail.

The Sender Policy Framework (SPF) is one of the authentication techniques that enables Domain-based Message Authentication, Reporting, and Conformance (DMARC) Authentication. DMARC is a protocol that assists email senders and receivers in verifying the identity and legitimacy of the messages they exchange. DMARC prevents email spoofing, phishing, and spam by using two authentication methods: SPF and DomainKeys Identified Mail (DKIM).

What is SPF?

SPF allows a domain owner to publicly declare which servers or IP addresses may send emails on its behalf. For example, if a domain owner uses one application to send its notification emails and another to send its marketing emails, it would need to include both of those services as its approved senders in its SPF record. An SPF record is a Domain Name System (DNS) text entry that specifies the authorized senders for a domain.

How does SPF work?

When a server receives an email, it checks the SPF record of the sender's domain to see if the email originates from an authorized source. If the sender's IP address matches one of the entries in the SPF record, the email passes the SPF check and is considered authentic. If the sender's IP address does not match any of the entries in the SPF record, the email fails the SPF check and is considered unauthentic. The receiving server can then decide how to handle the email based on its DMARC policy, which can be to accept, quarantine, or reject the message.

Why is SPF important?

SPF is important because it helps protect both email senders and receivers from fraudulent and malicious emails. By using SPF, email senders can improve their reputation and deliverability, as well as reduce the risk of their domain being blacklisted or spoofed. Email receivers can also benefit from SPF, as they can filter out unwanted and harmful emails, and ensure that they only receive messages from legitimate and trusted sources.

What are the limitations of SPF?

  • SPF only verifies the envelope sender, not the header sender. The envelope sender is the address that the email delivery system uses, while the header sender is the address that the email recipient sees. These two addresses can differ, and spammers can exploit this by using a valid envelope sender and a spoofed header sender. Therefore, SPF does not prevent phishing attacks that attempt to deceive the recipient with a fake header sender.
  • SPF does not protect against email forwarding. When a third party forwards an email, the original envelope sender remains unchanged, but the IP address of the forwarder is appended to the delivery path. This can cause the SPF verification to fail, even if the original sender is authorized. This can result in false positives, where authentic emails are marked as unauthentic and rejected or quarantined.
  • SPF does not encrypt or sign the email content. SPF only validates the source of the email, but it does not ensure the integrity or confidentiality of the email content. Spammers can still alter or tamper with the email content, or intercept and read the email in transit. Therefore, SPF does not prevent content-based attacks, such as malware, ransomware, or data theft.
  • SPF comes with a limit of only 10 DNS SPF lookups per SPF record. If you are a domain owner and planning to add an SPF record to the DNS database, ensure that this limit is not exceeded, or else your SPF record check will fail.

SPF Syntax

v=spf1 [mechanisms] [qualifiers]

v=spf1

The v=spf1 part indicates the version and the protocol of the SPF record. There is only one version of SPF, and the protocol is always spf1.

[mechanisms]

The mechanisms are the rules that define how to match the sender's IP address or host with the SPF policy. There are several types of mechanisms, such as:

a: matches the sender's IP address with the domain's A or AAAA records

mx: matches the sender's IP address with the domain's MX records

ip4: matches the sender's IPv4 address with a specific range

ip6: matches the sender's IPv6 address with a specific range

include: includes the SPF policy of another domain

all: matches any sender's IP address

[qualifiers]

The qualifiers are the actions that indicate how to handle the emails that match or do not match the mechanisms. There are four types of qualifiers, such as:

+: pass, the email is accepted (NOT RECOMMENDED)

?: neutral, the email is neither accepted nor rejected (NOT RECOMMENDED)

-: fail, the email is rejected

~: softfail, the email is accepted but marked as suspicious

- An example of a simple SPF record is:

v=spf1 mx -all

This means that only the IP addresses that correspond to the domain's MX records are allowed to send emails on behalf of the domain, and any other IP address is rejected.

How to choose the right SPF qualifier?

The choice of SPF qualifier depends on the domain owner's preference and risk tolerance. Generally, it is recommended to use the Hard Fail (-) qualifier for domains that send critical or sensitive emails, such as financial or legal services. This way, the domain owner can ensure that only authorized servers can send email on their behalf, and that any spoofed emails are rejected by the recipient server. However, the domain owner should also make sure that their SPF record is accurate and up-to-date, and that they include all the legitimate sources of email for their domain, such as web hosts, email providers, third-party services, etc. Otherwise, they may risk losing some valid emails that fail the SPF check.

On the other hand, the Soft Fail (~) qualifier may be a good option for domains that send less critical or less sensitive emails, such as newsletters, marketing, or social media. This way, the domain owner can still indicate their preference for authorized servers, but also allow some flexibility for the recipient server to decide how to handle the email. This can reduce the chances of losing valid emails that fail the SPF check, but it can also increase the chances of receiving spoofed emails that pass the SPF check.

The Neutral (?) and Allow all (+) qualifiers are not recommended for any domain, as they do not provide any benefit or protection against email spoofing and phishing attacks. They essentially disable the SPF mechanism and allow any server to send email on behalf of the domain. This can harm the domain's reputation and deliverability, as well as expose the domain's users to malicious emails.

SPF Redirect

The redirect modifier allows a domain to point to another domain's SPF record and use it as its own. For example:

v=spf1 redirect=example.com

This means that the domain will use the SPF record of example.com as its own, and ignore any other mechanisms or modifiers in its record.

Need Help?

support@sendmarc.com is standing by to assist!