What is SPF?

SPF is an email authentication method which allows a domain to specify a list of email servers that are approved to send email for the domain. Specifically, it defines which email servers can "originate" the email message. SPF stands for Sender Policy Framework.

When an email is received, the receiving email server will check the sending domain's DNS for an SPF record. If the email server that sent the email is in the list of approved servers, the SPF validation will "pass", otherwise it'll "fail".

When combined with DKIM and DMARC, SPF plays a role in preventing email spoofing from being effective.

Shortfalls

SPF is not sufficient on its own to prevent email spoofing.

SPF uses the "Envelope-From" header to validate the email server is authorized to send the mail. However, this is not the header that is used to display the "From" address to users. The "From" header is still able to be spoofed by attackers. In order to protect against this, it's essential to also use DKIM and DMARC.

Legitimate forwarded emails can fail SPF

Sometimes email recipients will have their messages forwarded to a different address. Depending on how this is done, a SPF fail policy may inadvertently reject a legitimate message and cause it to not be delivered.

For this reason, we recommend setting your SPF policy to "Soft Fail" any messages that don't match your approved senders list. This way, while the receiving email server may consider SPF to have failed, it will not reject the message based on that alone. We want to leave potential rejection up to your DMARC policy instead. When combined with DKIM, this situation will be handled gracefully assuming everything is configured properly.

Example SPF Configuration

SPF is configured in your domain's DNS. Below is an example of what a basic configuration looks like:

v=spf1 include:_spf.google.com include:amazonses.com +mx +ip4:74.125.201.18 ~all

Let's break it down..

  • v=spf1: This is the SPF protocol version. Only spf1 exists right now.
  • include:_spf.google.com: Allow servers that are specified at _spf.google.com
  • include:amazonses.com: Allow servers that are specified at amazonses.com
  • +mx: Allow all MX (mail exchanger) servers specified in the domain's DNS to also send mail
  • +ip4:74.125.201.18 Allow the server 74.125.201.18 to send mail
  • ~all: SoftFail - meaning if nothing matches, this record will fail, but will not instantly reject the message. Rather, your DMARC policy should be used to determine the action.

There are more possible SPF configuration options, but that's beyond the scope of this document. For many people, their email hosting provider will provide them with the SPF record/configuration they should use, or may even help them determine the right configuration given their email setup.

We are here to help our customers configure their SPF settings as well, according to their individual needs.