The Sender Policy Framework (SPF) is an email-authentication technique which is used to prevent spammers from sending messages on behalf of your domain. With SPF an organization can publish authorized mail servers. Together with the DMARC related information, this gives the receiver (or receiving systems) information on how trustworthy the origin of an email is. SPF is, just like DMARC, an email authentication technique that uses DNS (Domain Name Service). This gives you, as an email sender, the ability to specify which email servers are permitted to send email on behalf of your domain.
SPF was mentioned for the first time in 2000. In the following years, the SPF specification developed in multiple drafts. Meanwhile, the original name SPF (Sender Permitted From) changed to Sender Policy Framework.
An SPF working group of IETF tried to combine SPF and Microsoft’s CallerID proposal. A next attempt was made with the “classic” version of SPF. This lead to the first experimental RFC in 2006 and, eventually in 2014 the proposed standard SPF, familiar under RFC 7208 in 2014.
Nowadays email authentication techniques such as SPF have evolved and lead to techniques such as DKIM and DMARC. SPF still fulfills an important role to determine whether an email is DMARC Compliant.
An SPF record is a DNS record that has to be added to the DNS zone of your domain. In this SPF record, you can specify which IP addresses and/or hostnames are authorized to send email from the specific domain.
The mail receiver will use the “envelope from” address of the mail (mostly the Return-Path header) to confirm that the sending IP address was allowed to do so. This will happen before receiving the body of the message. When the sending email server isn’t included in the SPF record from a specific domain the email from this server will be marked as suspicious and can be rejected by the email receiver.
What SPF doesn’t do
SPF is a great technique to add authentication to your emails. However, it has some limitations which you need to be aware of.
- SPF does not validate the “From” header. This header is shown in most clients as the actual sender of the message. SPF does not validate the “header from”, but uses the “envelope from” to determine the sending domain
- SPF will break when an email is forwarded. At this point the ‘forwarder’ becomes the new ‘sender’ of the message and will fail the SPF checks performed by the new destination.
- SPF lacks reporting which makes it harder to maintain
SPF and DMARC
SPF is one of the authentication techniques on which DMARC is based. DMARC uses the result of the SPF checks and add a check on the alignment of the domains to determine its results.