[elementor-element data="eyJpZCI6IjNhZjZmZDkiLCJlbFR5cGUiOiJjb250YWluZXIiLCJzZXR0aW5ncyI6eyJfdGl0bGUiOiJpdGVtICMxIiwiY29udGVudF93aWR0aCI6ImZ1bGwiLCJodG1sX3RhZyI6ImRpdiIsImJvcmRlcl9ib3JkZXIiOiJub25lIn0sImVsZW1lbnRzIjpbeyJpZCI6Ijg1YTQ4ZTQiLCJlbFR5cGUiOiJ3aWRnZXQiLCJzZXR0aW5ncyI6eyJlZGl0b3IiOiI8cD5XaGF0IGlzIFNQRj8gU2VuZGVyIFBvbGljeSBGcmFtZXdvcmsgKFNQRikgaXMgYW4gZW1haWwgYXV0aGVudGljYXRpb24gcHJvdG9jb2wgdGhhdCBlbmFibGVzIGRvbWFpbiBvd25lcnMgdG8gc3BlY2lmeSB3aGljaCBJUCBhZGRyZXNzZXMgYXJlIGF1dGhvcml6ZWQgdG8gc2VuZCBlbWFpbHMgb24gYmVoYWxmIG9mIHRoZWlyIGRvbWFpbi4gVGhpcyBoZWxwcyBwcmV2ZW50IGVtYWlsIHNwb29maW5nIGFuZCBpbXByb3ZlcyB0aGUgdHJ1c3R3b3J0aGluZXNzIG9mIG91dGdvaW5nIG1lc3NhZ2VzLjxcL3A+IiwiX19nbG9iYWxzX18iOnsidHlwb2dyYXBoeV90eXBvZ3JhcGh5IjoiZ2xvYmFsc1wvdHlwb2dyYXBoeT9pZD10ZXh0In0sIl9wYWRkaW5nIjp7InVuaXQiOiJweCIsInRvcCI6IjAiLCJyaWdodCI6IjAiLCJib3R0b20iOiIwIiwibGVmdCI6IjIyIiwiaXNMaW5rZWQiOmZhbHNlfX0sImVsZW1lbnRzIjpbXSwid2lkZ2V0VHlwZSI6InRleHQtZWRpdG9yIn1dLCJpc0lubmVyIjp0cnVlLCJpc0xvY2tlZCI6dHJ1ZX0="]

[elementor-element data="eyJpZCI6Ijg0MmZiOGIiLCJlbFR5cGUiOiJjb250YWluZXIiLCJzZXR0aW5ncyI6eyJfdGl0bGUiOiJpdGVtICMxIiwiY29udGVudF93aWR0aCI6ImZ1bGwiLCJodG1sX3RhZyI6ImRpdiIsImJvcmRlcl9ib3JkZXIiOiJub25lIn0sImVsZW1lbnRzIjpbeyJpZCI6ImQ1NmQ0YTgiLCJlbFR5cGUiOiJ3aWRnZXQiLCJzZXR0aW5ncyI6eyJlZGl0b3IiOiJTUEYgd29ya3MgYnkgdXNpbmcgYSBETlMgVFhUIHJlY29yZCB0byBsaXN0IHRoZSBzZXJ2ZXJzIHRoYXQgYXJlIGFsbG93ZWQgdG8gc2VuZCBlbWFpbHMgZnJvbSBhIGRvbWFpbi4gV2hlbiBhbiBlbWFpbCBpcyByZWNlaXZlZCwgdGhlIHJlY2lwaWVudCdzIGVtYWlsIHNlcnZlciBwZXJmb3JtcyBhIEROUyBsb29rdXAgYW5kIGNoZWNrcyB0aGUgc2VuZGVyXHUyMDE5cyBJUCBhZGRyZXNzIGFnYWluc3QgdGhlIFNQRiByZWNvcmQgdG8gdmVyaWZ5IHdoZXRoZXIgdGhlIGVtYWlsIGlzIGxlZ2l0aW1hdGUuIiwiX19nbG9iYWxzX18iOnsidHlwb2dyYXBoeV90eXBvZ3JhcGh5IjoiZ2xvYmFsc1wvdHlwb2dyYXBoeT9pZD10ZXh0In0sIl9wYWRkaW5nIjp7InVuaXQiOiJweCIsInRvcCI6IjAiLCJyaWdodCI6IjAiLCJib3R0b20iOiIwIiwibGVmdCI6IjIyIiwiaXNMaW5rZWQiOmZhbHNlfX0sImVsZW1lbnRzIjpbXSwid2lkZ2V0VHlwZSI6InRleHQtZWRpdG9yIn1dLCJpc0lubmVyIjp0cnVlLCJpc0xvY2tlZCI6dHJ1ZX0="]

What is SPF? Sender Policy Framework (SPF) explained

What is SPF: Technical overview

What is SPF? Sender Policy Framework (SPF) is an email authentication method created to prevent email spoofing. It does this by allowing domain owners to specify which email servers are authorized to send email on behalf of their domain. This is achieved by publishing a special TXT record – known as an SPF record – in the DNS. A record will typically have the following structure:

Host	Type	Value
@	TXT	`v=spf1 [mechanisms] [qualifiers]`

Here is an example of what a record might look like:

Host	Type	Value
@	TXT	`v=spf1 mx include:spf.protection.outlook.com ~all`

Each part of the record plays a specific role in defining the domain’s email-sending policies. Below, we explain what makes up the record.

Mechanisms in SPF records

SPF records use a set of mechanisms to define which email servers are authorized to send email on behalf of a domain. These mechanisms decide how the receiving email server validates the sender’s IP address. The most commonly used mechanisms include:

ip4 & ip6: Specifies authorized IPv4 and IPv6 addresses.
a: Authorizes any IP address associated with the domain’s A or AAAA DNS records.
mx: Authorizes IP addresses of the domain’s Mail Exchange (MX) servers.
include: References the SPF record of another domain. This is commonly used when third-party providers are authorized to send emails on behalf of the domain.

Qualifiers in SPF records

Qualifiers determine how the receiving server should handle emails that don’t match the specified mechanisms:

+all: Pass (the email is accepted even if it doesn’t match any mechanism)
-all: Fail (the email is rejected if it doesn’t match any mechanism)
~all: Softfail (the email is accepted but marked as suspicious if it doesn’t match any mechanism)
?all: Neutral (the email isn’t accepted or rejected – this qualifier treats the message as if there’s no SPF policy)

Modifiers in SPF records

Modifiers in SPF records provide extra functionality. They help enhance the flexibility and clarity of SPF policies. The two commonly used modifiers are:

redirect: Redirects the SPF check to another domain’s policy. This is useful when a domain’s email policy is fully managed by another domain.
exp: Defines a custom message that can be shown when an SPF check fails, helping explain why the email was rejected.

What is SPF: Process

The SPF process involves a few key steps to authenticate emails and protect them against spoofing:

SPF record creation: The domain owner creates an SPF record that lists all servers authorized to send email on behalf of the domain. This record is then published in the domain’s DNS.
Email sending: When an email is sent, the receiving server performs a DNS lookup to find the domain’s SPF record.
SPF check: The receiving server compares the sender’s IP address against the authorized sources listed in the SPF record.
Action based on qualifier: Based on the result of the SPF check and the qualifier in the record, the receiving server will accept, reject, or flag the email as suspicious.

Want to learn more?

What is SPF: Integrations

SPF works alongside other email authentication protocols like DomainKeys Identified Mail (DKIM) and Domain-based Message Authentication, Reporting, and Conformance (DMARC) to provide a more comprehensive approach to email security. When implemented together, these protocols help protect domains from spoofing, phishing, and other types of email-based attacks.

DKIM: DKIM adds a digital signature to each outgoing email, allowing the receiving server to verify that the message wasn’t altered.
DMARC: DMARC builds on both SPF and DKIM by allowing domain owners to define a policy for how receiving servers should handle emails that fail authentication checks.

Understanding the technical details of SPF is essential for effective implementation and seamless integration with DKIM and DMARC. When properly configured, these protocols work together to significantly reduce cyber risks related to email.

What is SPF: FAQs

What is SPF?

What is SPF? Sender Policy Framework (SPF) is an email authentication protocol that enables domain owners to specify which IP addresses are authorized to send emails on behalf of their domain. This helps prevent email spoofing and improves the trustworthiness of outgoing messages.

How does SPF work?

SPF works by using a DNS TXT record to list the servers that are allowed to send emails from a domain. When an email is received, the recipient’s email server performs a DNS lookup and checks the sender’s IP address against the SPF record to verify whether the email is legitimate.

What is SPF best for?

SPF is best used to prevent email spoofing and phishing because it only allows authorized servers to send emails from a domain. It also helps ISPs and email platforms validate incoming emails and filter out unauthorized messages.

What are the limitations of SPF?

The limitations of SPF include its inability to handle email forwarding, which can cause legitimate emails to fail SPF checks. SPF records must be updated regularly to remain accurate, which can be time-consuming. SPF is also subject to a 10 DNS lookup limit, which may require SPF flattening to manage complex records.

Can organizations have multiple SPF records on a single domain?

Organizations can’t have multiple SPF records for a single domain. Instead, all authorized IP addresses and mechanisms must be included within one SPF record. Having multiple records will cause SPF validation to fail.

How does SPF integrate with other protocols?

SPF integrates with DomainKeys Identified Mail (DKIM) and Domain-based Message Authentication, Reporting, and Conformance (DMARC) to provide layered email authentication. DKIM uses cryptographic signatures to confirm email content integrity, while DMARC combines the results of SPF and DKIM checks and allows domain owners to set policies for handling authentication failures.

Why is it important to keep SPF records updated?

It is important to keep SPF records updated to ensure that all authorized email-sending servers are correctly listed. Outdated records can result in legitimate emails being rejected or marked as Spam by receiving servers, affecting deliverability and email reputation.

Ready to safeguard your business’s domain? Contact us today to get started!

What is SPF? Sender Policy Framework (SPF) explained

What is SPF: Technical overview

Mechanisms in SPF records

Qualifiers in SPF records

Modifiers in SPF records

What is SPF: Process

What is SPF: Integrations

What is SPF: FAQs

Resources

Knowledgebase

How secure is your brand name from email scammers?

Platform & Services

Company

Resources

What is SPF? Sender Policy Framework (SPF) explained

What is SPF: Technical overview

Mechanisms in SPF records

Qualifiers in SPF records

Modifiers in SPF records

What is SPF: Process

What is SPF: Integrations

What is SPF: FAQs

Resources

Knowledgebase

Related blog articles

How secure is your brand name from email scammers?

Platform & Services

Company

Resources