Introduction to SPF

Home Introduction to SPF

Introduction to SPF

20th Feb 2024 SPF

What is SPF

Sender Policy Framework (SPF) is an email authentication mechanism which allows only authorized senders to send on behalf of a domain, and prevents unauthorized users from doing so. SPF allows the receiver to check that an email claiming to come from a specific domain indeed comes from an IP address authorized by that domain's administrators.

For example, when a mail server owned by a malicious scammer tries to send an email to your mailbox, claiming the email is from trustedbank.com, and asks you for important, confidential information, it poses a serious security problem for your email service provider and you. If your email server doesn't perform any security check, this email lands right into your mailbox and might cause a financial loss.

SPF can put a stop to this. Here is how it works: assuming SPF has been set up on your email server's end, and the scam server has an IP address of 1.2.3.4. When the scam server connects to your email server, your email server will check the incoming IP address to see if it's listed in the domain's SPF record published in the DNS. If the IP address is listed, the SPF check passes, otherwise not.

Think of the SPF record as a whitelist of legitimate IP addresses, and only when an incoming email is from one of the IP addresses, SPF gives a green light.

How SPF improves deliverability

When an email message hits the receiving server, the server performs an SPF check on that message. If that message did come from an IP address specified in the SPF record, it passes the SPF check. This is called SPF authenticated.

In addition, if that message also has DMARC identifier alignment, which means the domain portion of the envelope from address aligns with the domain found in the header from address, the message is SPF aligned. Learn more about DMARC identifier alignment.

If an email message is SPF aligned, it's DMARC aligned. A DMARC aligned email message has a better chance to land in the inbox. Learn more here.

What SPF lacks

There are two from addresses in SPF: the envelope from address that is specified by the mail from command in an SMTP session, while the header from address is the address specified in the From header field in the SMTP data command.

In an SPF check, SPF only authenticates the envelope from address, leaving the header from address unchecked. This means that attackers can still send the end user an email from one of the hosts on the whitelist with a spoofed header from address. In other words, the from field the email end users sees in his/her email client might be different from what's been authenticated by SPF. This pitfall can be avoided by enforcing DMARC identifier alignment mentioned earlier.

Also, SPF doesn't have reporting capabilities built in. This means there is no way to obtain SPF authentication reports by itself. DMARC has introduced reporting capabilities to request reports containing such information.

Common SPF errors and fixes

A failed SPF check returns one of the following possible values: none, neutral, fail (hard fail), softfail (soft fail), temperror (temporary error), and permerror (permanent error).

To learn what causes these errors and how to fix them, refer to Why SPF Authentication Fails: none, neutral, fail(hard fail), soft fail, temperror, and permerror Explained.