SPF, or Sender Policy Framework, is a method of email authentication that helps to prevent email spoofing. In email spoofing, someone pretends to be the sender of an email by forging the sender’s email address.
Using SPF, the true owner of an email domain can specify which servers and IP addresses are allowed to send emails from that domain. This information is published in the domain’s DNS records. When an email is received, the receiving server checks the SPF record to verify that the email is indeed coming from an authorized server for that domain. If not, it may mark the email as spam or reject it.
It is important to note that SPF only authenticates the sending server and does not necessarily verify the sender’s identity. For more thorough email authentication, it is recommended to combine SPF with DKIM, DMARC, and BIMI which can result in major improvements to your email security.
SPF records are fundamental to email security because they guarantee that your domain is only sending emails from approved servers.
Let’s explore the benefits of having a properly configured SPF email policy:
An SPF record assists in preventing spoofing and phishing scams by affirming that the IP address sending the email is linked to the domain.
By securing your email server with SPF, you make it more difficult for attackers to use your domains to send spam. This helps protect your domain from ending up on global blacklists and DNS blacklists, and as a result, generally improves your email deliverability.
By establishing SPF email policies, you are demonstrating to email services and blacklist sites. This decreases the likelihood of your emails being incorrectly marked as spam and improves your domain reputation with firewalls and other cybersecurity databases.
Scammers often attempt to masquerade as another company by altering the address in the FROM field. However, this scam can be easily thwarted if an SPF record is set up. With an SPF record in place, any email coming from a fraudster posing as someone else will be flagged as invalid by recipient mail servers.
The SPF record contains the main criteria for verification: the sender’s domain and IP address. By comparing these two criteria of the sender in the SPF record with those of the incoming message, the recipient server makes a decision about the security of the message.
In short, the SPF algorithm works in several stages. For example, take sending a message from [email protected] to [email protected] using the Selzy email service provider:
Every email passes through these steps. Graphically, the work of SPF filter looks as follows:
Sender Policy Framework is a line in the TXT record of the domain. For example, it may looks like this:
To create an SPF record, qualifiers and mechanisms are used:
Let’s look at the example above. V=spf1 is the version of SPF used. +a +mx -all are tags to protect the domain from cheaters.
This record means that all servers listed in the mx and a records of DNS and those from IP 195.3.159.250 can send messages on behalf of the domain. In addition, you can receive messages from the servers listed in the gmail.com SPF-records. Emails from all other servers should be sent to spam without checking: ~all.
This is by no means the most complex SPF record. If necessary, it can hold even more parameters.
Here’s a list of them:
Qualifiers and mechanisms | Meaning |
+ | Accept the message. For example: +all – accept all emails |
– | Reject the message. For example: -all – reject all emails |
~ | Accept the email, but mark it as SPAM. ~all – send all emails to SPAM |
? | Neutral attitude |
mx | All addresses specified in the MX records of the domain |
ip4 | Specify a particular IP address. For example: ip4:195.3.156.134 — accept emails from IP 195.3.156.134 |
a | Specify the action to be taken when receiving mails from a particular domain. For example: +a — accept all mails that are sent from IP that coincides with the IP address in the record of the sending domain |
include | Allow to receive mails from servers allowed by SPF records of the domain. For example: include:gmail.com — allows to receive mails from IPs which are specified in SPF records of the gmail.com domain |
all | All other IPs not listed in the SPF record |
exists | Check if the domain name is valid |
redirect | Specify to check the SPF of the specified domain instead of the current domain |
exp |
Specify an error message to be sent to the sender. For example: example.org. IN TXT “v=spf1 +a +mx -all exp=spf.example.org” spf.example.org. IN TXT “You host not allowed email to me from this domain” |
The return-path header is a standard email protocol field that contains the address that the recipient’s email service should send bounces and auto-replies to. To see the return-path header for an email you’ve sent, you’ll need to view your message headers. The exact steps for doing so depend on what email provider or service you use.
In Gmail, for example, select a message in your inbox and then click the three dots icon. Then, click Show original to open the full message header.
The SPF check is directly related to the domain from the return-path header in the email. That is, the recipient email service looks for and checks the return-path address of your email in the list of allowed IP addresses.
Make sure that the return-path header of outgoing emails from your domain contains the domain allowed in the SPF record.
Next we’ll look at creating an SPF record using the Selzy email service provider as an example.
For the next step, you will need access to edit the DNS records of the domain.
To check if you have set it up correctly, use online tools to verify SPF or look up DNS records:
Let’s take MxToolbox as an example. In the search box, enter your domain. Click on the button so that a drop-down menu appears. Choose SPF Record LookUp.
In the output you either get a positive result with all records from the DNS zone, or the program will report that nothing is found.
You can also check if the SPF record is correct using a free syntax checker. Go to SPF Syntax Validator, insert the SPF record and press Enter.
If a green message appears after checking, the syntax is correct.
If it’s red, it’s a mistake. It is necessary to check if the SPF record is created correctly.