SPF - Sender Policy Framework

SPF - Sender Policy Framework

Email Message Structure

Short Definition:

email message structure email message structure

What is SPF (Sender Policy Framework)

If you send email from a custom domain (for example, @yourdomain.com), you can list the IP addresses of the mail servers authorized to send your mail. By checking your list of IP addresses, email services and ISPs can identify whether the message came from a trusted server.

More precisely: SPFv1 allows the owner of a domain to specify their mail sending policy, e.g. which mail servers they use to send mail from their domain. The technology requires two sides to play together:

  1. the domain owner publishes this information in an SPF record in the domain's DNS zone , and when someone else's mail server receives a message claiming to come from that domain, then
  2. the receiving server can check whether the message complies with the domain's stated policy. If, e.g., the message comes from an unknown server, it can be considered a fake.

how SPF work how SPF work

How does SPF work

First, you must create an SPF record that lists the IP addresses of the mail servers authorized to send mail from your domain. Then you're ready to send messages with SPF as follows:

  • You send an email, for example, from the address you@yourdomain.com. Suppose the message is sent from one of your authorized email servers with the IP address
  • When the email arrives, the receiving mail server checks the sender's address in the **Return-Path** (also known as **MAIL FROM**) field of the email header and looks up the SPF record for your domain (in this example, yourdomain.com).
  • The receiving mail server checks whether the IP address from which the mail was sent ( is listed in your SPF record.
  • If the IP address is listed, the message passes SPF; if it isn't, it fails.

example: How SPF (Sender Policy Framework) works example: How SPF (Sender Policy Framework) works

What is an SPF record

Let's look at an example to give you an idea of how SPF works. Bob owns the domain example.net. He also sometimes sends mail through his Gmail account and contacted GMail's support to identify the correct SPF record for GMail . Since he often receives bounces about messages he didn't send, he decides to publish an SPF record in order to reduce the abuse of his domain in e-mail envelopes:

example.net.  TXT  "v=spf1 mx ip4: a:pluto.example.net include:_spf.google.com -all"

The parts of the SPF record mean the following:

SPF DNS key Description
v=spf1 SPF version 1SPF version 1
mx the incoming mail servers (MXes) of the domain are authorized to also send mail for example.net
ip4 The IP address(es) of the servers authorized to send email from your domain. They can be IPv4 or IPv6 addresses; IPv6 addresses use the tag ip6.
a:pluto.example.net the machine pluto.example.net is authorized, too
include:_spf.google.com everything considered legitimate by gmail.com is legitimate for example.net, too
-all all other machines are NOT authorized.

How SPF differs from DKIM and DMARC

SPF and mail forwarding

When forwarding a message, if the sending mail server replaces the original sender's email address in the Return-Path (MAIL FROM) field with the forwarder's address, the receiving server will check the SPF record of the forwarder's domain. In this case, the message should pass SPF.

But not all email platforms rewrite the Return-Path field when forwarding. If the mail server preserves the original sender's address in the Return-Path field, the receiving mail server will check the original sender's SPF record. As this doesn't include the IP address of the forwarding server, the message fails.

Fortunately, if an email fails SPF, it may still pass the DKIM check because DKIM verifies a message's content, not its sending IP address. As long as you don't change the content and structure of the original message, it should pass DKIM.

Why use SPF

Along with DKIM and DMARC , SPF is one of the main ways you can protect your domain and ensure your emails get delivered. Here's why you should use it: Beat spammers and scammers

SPF makes it harder for cybercriminals to send messages pretending to be from your domain (email spoofing ). Specifying trusted mail servers with SPF helps to prevent fraudsters from using your domain for spam and phishing attacks.

SPF helps ISPs and email platforms identify legitimate emails. So using SPF increases the chances of your messages being delivered instead of ending up in the spam folder. The more your emails pass authentication checks like SPF, the more you improve your domain's reputation with email platforms. So SPF can help improve your emails deliverability in the long run.



comments powered by Disqus