What is an SPF Record?
The SPF (Sender Policy Framework) is an email authentication technique that is used to prevent spammers from sending messages on behalf of your domain. An organization can publish authorized mail servers with the aids of SPF. Together with the information relating to DMARC, it gives the receiver/ receiving systems information on the originality of an email. Just like DMARC, SPF is an email authentication technique that uses DNS (Domain Name Service). This enables you to specify which email servers are permitted to send emails on behalf of your domain.
History of SPF (Sender Policy Framework )
Initially, SPF was mentioned in 2000. In the following years, the SPF specification slowly developed in multiple drafts. Meanwhile, the original name “Sender Permitted From” has been changed to “Sender Policy Framework”.
An SPF working group of IETF once tried to combine SPF and Microsoft’s CallerID proposal. They made their next attempt with the “classic” version of SPF. This lead to the first experimental RFC in 2006 and, in 2014 the proposed standard SPF, familiar under RFC 7208 in 2014.
Nowadays, email authentication techniques have evolved and lead to techniques such as DKIM and DMARC. However, SPF still fulfills an important role to determine whether an email is DMARC Compliant
Examples of Standard SPF records:
“abc.com” IN TXT “v=spf1 mx a:abc.com ~all”
“abc.com” IN TXT “v=spf1 ip4: mx mx:abc.com a: -all”
SPF in practice
The mail receiver will use the “envelope from” address of the mail (mostly the Return-Path header) to confirm that the sending IP address was allowed to do so. This will happen before receiving the body of the message. When a specific domain does not include the sending email server the email from this server will be marked as suspicious. Eventually, the email server will reject it.
What SPF doesn’t do
- it does not validate the “From” header. Most clients include the header as the actual sender of the message. SPF does not validate the “header from”, but uses the “envelope from” to determine the sending domain
- SPF will break when you forward an email. At this point, the ‘forwarder’ becomes the new ‘sender’ of the message and will fail the SPF checks performed by the new destination.
- lacks reporting which makes it harder to maintain
SPF and DMARC
This is what it looks like (in CloudFlare ) when you add an SPF Record to the DNS.