Casbay Knowledge Base

Search our articles or browse by category below

SPF Record

Last modified: October 1, 2022
Estimated reading time: 2 min

What is an SPF Record?

The SPF (Sender Policy Framework) is an email authentication technique that is used to prevent spammers from sending messages on behalf of your domain. An organization can publish authorized mail servers with the aids of SPF. Together with the information relating to DMARC, it gives the receiver/ receiving systems information on the originality of an email. Just like DMARC, SPF is an email authentication technique that uses DNS (Domain Name Service). This enables you to specify which email servers are permitted to send emails on behalf of your domain.

History of SPF (Sender Policy Framework )

Initially, SPF was mentioned in 2000. In the following years, the SPF specification slowly developed in multiple drafts. Meanwhile, the original name “Sender Permitted From” has been changed to “Sender Policy Framework”.

An SPF working group of IETF once tried to combine SPF and Microsoft’s CallerID proposal. They made their next attempt with the “classic” version of SPF. This lead to the first experimental RFC in 2006 and, in 2014 the proposed standard SPF, familiar under RFC 7208 in 2014.

Nowadays, email authentication techniques have evolved and lead to techniques such as DKIM and DMARC. However, SPF still fulfills an important role to determine whether an email is DMARC Compliant 

DMARC Analyzer uses SPF, DMARC, and DKIM.

Examples of Standard SPF records: 

“abc.com” IN TXT “v=spf1 mx a:abc.com ~all”

OR

“abc.com” IN TXT “v=spf1 ip4: mx mx:abc.com a: -all”

SPF in practice

An SPF record is a DNS record that you have to add to the DNS zone of your domain. In this SPF record, you can specify which IP addresses and/or hostnames are authorized to send email from the specific domain.

The mail receiver will use the “envelope from” address of the mail (mostly the Return-Path header) to confirm that the sending IP address was allowed to do so. This will happen before receiving the body of the message. When a specific domain does not include the sending email server the email from this server will be marked as suspicious. Eventually, the email server will reject it.

What SPF doesn’t do

SPF is a great technique to add authentication to your emails. However, it has some limitations which you need to be aware of.
  • it does not validate the “From” header. Most clients include the header as the actual sender of the message. SPF does not validate the “header from”, but uses the “envelope from” to determine the sending domain
  • SPF will break when you forward an email. At this point, the ‘forwarder’ becomes the new ‘sender’ of the message and will fail the SPF checks performed by the new destination.
  • lacks reporting which makes it harder to maintain

SPF and DMARC

SPF is one of the authentication techniques on which DMARC is based. DMARC uses the result of the SPF checks and adds a check on the alignment of the domains to determine its results.

This is what it looks like (in CloudFlare ) when you add an SPF Record to the DNS.

Was this article helpful?
Dislike 0
Previous: Windows Commands – Nslookup
Next: What is Reverse DNS or PTR Record ?