What is SPF? Sender Policy Framework (SPF) explained

What is SPF: Technical overview

What is SPF? Sender Policy Framework (SPF) is an email authentication method created to prevent email spoofing. It does this by allowing domain owners to specify which email servers are authorized to send email on behalf of their domain. This is achieved by publishing a special TXT record – known as an SPF record – in the DNS. A record will typically have the following structure:
Host Type Value
@ TXT v=spf1 [mechanisms] [qualifiers]
Here is an example of what a record might look like:
Host Type Value
@ TXT v=spf1 mx include:spf.protection.outlook.com ~all
Each part of the record plays a specific role in defining the domain’s email-sending policies. Below, we explain what makes up the record.

Mechanisms in SPF records

SPF records use a set of mechanisms to define which email servers are authorized to send email on behalf of a domain. These mechanisms decide how the receiving email server validates the sender’s IP address. The most commonly used mechanisms include:
  • ip4 & ip6: Specifies authorized IPv4 and IPv6 addresses.
  • a: Authorizes any IP address associated with the domain’s A or AAAA DNS records.
  • mx: Authorizes IP addresses of the domain’s Mail Exchange (MX) servers.
  • include: References the SPF record of another domain. This is commonly used when third-party providers are authorized to send emails on behalf of the domain.

Qualifiers in SPF records

Qualifiers determine how the receiving server should handle emails that don’t match the specified mechanisms:
  • +all: Pass (the email is accepted even if it doesn’t match any mechanism)
  • -all: Fail (the email is rejected if it doesn’t match any mechanism)
  • ~all: Softfail (the email is accepted but marked as suspicious if it doesn’t match any mechanism)
  • ?all: Neutral (the email isn’t accepted or rejected – this qualifier treats the message as if there’s no SPF policy)

Modifiers in SPF records

Modifiers in SPF records provide extra functionality. They help enhance the flexibility and clarity of SPF policies. The two commonly used modifiers are:
  1. redirect: Redirects the SPF check to another domain’s policy. This is useful when a domain’s email policy is fully managed by another domain.
  2. exp: Defines a custom message that can be shown when an SPF check fails, helping explain why the email was rejected.

What is SPF: Process

The SPF process involves a few key steps to authenticate emails and protect them against spoofing:
  1. SPF record creation: The domain owner creates an SPF record that lists all servers authorized to send email on behalf of the domain. This record is then published in the domain’s DNS.
  2. Email sending: When an email is sent, the receiving server performs a DNS lookup to find the domain’s SPF record.
  3. SPF check: The receiving server compares the sender’s IP address against the authorized sources listed in the SPF record.
  4. Action based on qualifier: Based on the result of the SPF check and the qualifier in the record, the receiving server will accept, reject, or flag the email as suspicious.
    5. Want to learn more?
Book a demo

What is SPF: Integrations

SPF works alongside other email authentication protocols like DomainKeys Identified Mail (DKIM) and Domain-based Message Authentication, Reporting, and Conformance (DMARC) to provide a more comprehensive approach to email security. When implemented together, these protocols help protect domains from spoofing, phishing, and other types of email-based attacks.
  • DKIM: DKIM adds a digital signature to each outgoing email, allowing the receiving server to verify that the message wasn’t altered.
  • DMARC: DMARC builds on both SPF and DKIM by allowing domain owners to define a policy for how receiving servers should handle emails that fail authentication checks.
Understanding the technical details of SPF is essential for effective implementation and seamless integration with DKIM and DMARC. When properly configured, these protocols work together to significantly reduce cyber risks related to email.

What is SPF: FAQs

What is SPF?

What is SPF? Sender Policy Framework (SPF) is an email authentication protocol that enables domain owners to specify which IP addresses are authorized to send emails on behalf of their domain. This helps prevent email spoofing and improves the trustworthiness of outgoing messages.

SPF works by using a DNS TXT record to list the servers that are allowed to send emails from a domain. When an email is received, the recipient’s email server performs a DNS lookup and checks the sender’s IP address against the SPF record to verify whether the email is legitimate.
SPF is best used to prevent email spoofing and phishing because it only allows authorized servers to send emails from a domain. It also helps ISPs and email platforms validate incoming emails and filter out unauthorized messages.
The limitations of SPF include its inability to handle email forwarding, which can cause legitimate emails to fail SPF checks. SPF records must be updated regularly to remain accurate, which can be time-consuming. SPF is also subject to a 10 DNS lookup limit, which may require SPF flattening to manage complex records.
Organizations can’t have multiple SPF records for a single domain. Instead, all authorized IP addresses and mechanisms must be included within one SPF record. Having multiple records will cause SPF validation to fail.

SPF integrates with DomainKeys Identified Mail (DKIM) and Domain-based Message Authentication, Reporting, and Conformance (DMARC) to provide layered email authentication. DKIM uses cryptographic signatures to confirm email content integrity, while DMARC combines the results of SPF and DKIM checks and allows domain owners to set policies for handling authentication failures.

It is important to keep SPF records updated to ensure that all authorized email-sending servers are correctly listed. Outdated records can result in legitimate emails being rejected or marked as Spam by receiving servers, affecting deliverability and email reputation.
Ready to safeguard your business’s domain? Contact us today to get started!
Book a demo

Resources

Knowledgebase

Sendmarc logo
Sendmarc Soc2 Compliance badge
certification badge for ISO/IEC 27001:2022
G2 High Performer Badge - Winter 2025

How secure is your brand name from email scammers?

If you’re at risk of impersonation, one of our experts will be in touch to assist.

Linkedin-in Youtube X-twitter Facebook-f

Platform & Services

Company

Platform & Services

Resources