What is SPF?

Sender Policy Framework (SPF) is a path-based Email Authentication technique that helps the receiving mail server detect spoofed sender addresses during email delivery.

Why is SPF important?

SPF has become exceedingly vital in verifying which sending infrastructure can relay email on behalf of the domain. Implementing SPF for email will increase domain reputation and email protection. A valid SPF record will help protect from domain impersonation and email spoofing. 

How does SPF work?


SPF is designed to help identify valid mail servers. Essentially, it is a DNS record which a domain owner publishes that contains a list of trusted servers from which emails can be sent from. 

To set up your SPF policy, you must publish it in the form of a TXT record in your DNS. It works as an allow list for your domain where you are able to declare where emails from your domain can originate from. Unfortunately, this policy does not prevent spoofed emails from being sent in your name, but it allows receiving email servers to verify if the email was sent from a legit source that you own. 


High-Level Explanation

  1. Domain Owner publishes an SPF Record at their respective Domain Name Server.
  2. Receiving email server receives an incoming mail from the domain.
  3. Receiving email server performs SPF checks to determine if the sending email server is an approved sender from the domain.
  4. Receiving email server applies action according to the SPF Record. 
    1. Approved: Direct mail to recipient’s inbox.
    2. Unapproved: Apply SPF policy action (Neutral, Soft Fail, Hard Fail)
      1. Neutral: Direct mail to recipient’s inbox.
      2. Soft Fail: Direct mail to recipient’s junk or spam folder.
      3. Hard Fail: Blocks unqualified emails from getting to recipient. 




Adoption Statistics

  1. Darkreading: Anti-Spoofing for Email Gains Adoption, but Enforcement Lags


  1. TZUSEC: What is SPF and how do you configure it?
  2. Agari: What Is SPF and How Does It Work?
  3. Netcore: SPF DKIM and DMARC Explained with ISP Support