Skip to main content

What Are Sender Policy Framework Records? What to Know About SPF

Discover what Sender Policy Framework (SPF) records are and how they help prevent email spoofing.

A sender policy framework (SPF) functions like an event guard stationed in your lobby. You provide a guest list, and the guard welcomes those with names on the list while everyone else waits for approval or gets turned away.

For example, a small business owner usually knows customers and suppliers by name, and you've seen their company logos, personnel, and other identifiers. However, email exchanges lack those visual cues of legitimacy.

The VP of Marketing for a medium-sized company may only know a handful of customers and suppliers by sight. So, instead, the VP relies on a receptionist to screen calls and visitors, only allowing those whose concerns cannot be delegated to junior staff members to speak directly.

In contrast, the CEO or owner of an international import/export company might only speak to someone scheduled well in advance. Moreover, anyone permitted to have an appointment must also have a concern vital to the entire company that only the CEO can handle, such as a VIP customer with a complicated contract.

In each of these situations, businesses must have some way to distinguish the genuine sender. Otherwise, your company could suffer a significant loss of reputation if a spammer, scammer, or bot impersonated you and gained access to your customer list or email server. Your sender policy framework provides that distinguishing factor.

Learn more about SPFs, including answers to your questions such as "What is an SPF record" and "How do you create an SPF record?", so you can leverage this security measure for your own company.

What are sender policy framework records?

An SPF record is essentially a digital ID verification system for your emails. It's a specific line of text (TXT) code added to your domain's DNS records that works behind the scenes to authenticate email senders and ensure they're coming from authorized IP addresses.

When properly configured, this record tells receiving email servers that the email comes from legitimate sources authorized to send emails from certain domains.

SPF authentication works by creating a list of approved IP addresses and server names that are permitted to send emails using your domain. When someone receives an email claiming to be from your domain, their email server automatically checks this SPF record to verify the sending server is on your approved list.

Here's how each element works:

  • Sender identification: The SPF record allows recipient servers to confirm an email truly originated from an authorized source and not from someone attempting to spoof your domain. This verification happens invisibly during email delivery.
  • Sender verification: Email systems can automatically check if the sending mail server's IP address matches what's listed in your SPF record, preventing unauthorized servers from successfully impersonating your domain in emails.
  • Return path verification: SPF provides a trusted route back to the authentic source if recipients have questions about your message or concerns about how their information is being used, enhancing accountability.

By implementing SPF records, you're essentially telling the world exactly which servers are allowed to send emails on your domain's behalf, creating a crucial first layer of email security and sender authentication.

Limitations of SPF: What SPF can't do

While sender policy framework records help domain owners secure their email communications, this email authentication protocol has limitations that are important to understand. SPF isn't a complete security solution on its own.

Its limitations include:

  • No encryption capabilities: When receiving mail servers perform SPF authentication, they only verify sender authenticity but do nothing to protect the actual content of your messages. Anyone who intercepts your emails can still read them if you're not using additional encryption.
  • No privacy features: These records don't hide email metadata or protect sensitive information within your messages. They simply verify that an email comes from an authorized mail server.
  • Breaks when forwarded: When someone forwards your email, the SPF validation fails because the forwarder's sending server's IP address becomes the new sender. This means legitimate forwarded messages may get flagged as suspicious.
  • No reporting functionality: Unlike more advanced protocols, SPF doesn't generate reports about who's trying to spoof your domain or provide analytics on delivery issues related to authentication.
  • Insufficient as a standalone solution: The DNS lookup performed during SPF checks is just one layer of email security. Smart attackers can find ways around SPF-only protection, which is why experts recommend implementing it alongside DKIM and DMARC for comprehensive protection.
  • Limited protection scope: SPF only verifies the sending server, not the actual content of emails. This means phishing attacks with malicious content can still pass SPF checks if sent from authorized servers.

What do you need to know about SPF?

Implementing sender policy framework records tells recipient email servers that your message isn't spoofing, spamming, or attempting to scam them. By taking the time to incorporate SPF records into your domain settings, you create a verification process that increases confidence and decreases resistance to your messages.

When messages claim to come from your SPF-protected domain but originate from unauthorized servers, they'll fail SPF authentication checks, protecting both your brand reputation and your recipients from potential scams.

This verification system is especially important for handling incoming mail, as it provides an additional layer of security screening before messages reach inboxes.

Key points to understand about SPF include:

  • IP address verification: An SPF record is essentially a published list of IP addresses authorized to send emails on behalf of your domain, giving clear instructions to email providers about handling your outgoing messages.
  • Delivery improvement: Your SPF record provides a layer of protection that makes your legitimate messages more likely to reach the intended receiver's inbox rather than being flagged as spam.
  • No encryption function: While SPF verifies sender authenticity, it doesn't encrypt your message content or provide privacy protection for the information within.
  • Header visibility: SPF verification results appear in the full headers of your email messages, allowing recipients to manually check authentication if needed.
  • Trust signaling: The SPF domain listed first in your "include" mechanism demonstrates you've taken the minimum precautions to protect both your business data and your recipients from potential email-based threats.

SPF vs. DMARC vs. DKIM

The Internet Engineering Task Force published the current SPF protocol in RFC 7208 in April 2014. The purpose was to create a consensus on keeping hackers and phishers from sending emails that supposedly come from a known, trusted organization.

That consensus became spf1, and from that point forward, v=spf1 became the standard format for the beginning statement of every SPF record. However, forwarding a message invalidates the SPF. Consequently, two additional strategies have come into play: DKIM and DMARC.

What is DKIM?

DKIM is an acronym for DomainKeys Identified Mail. Like SPF, DKIM is a TXT record in the DNS. However, DKIM records remain valid even when forwarded. Current DKIM standards arose from efforts by Yahoo! and Cisco, who each created their own email authorization standards.

Think of DKIM as the wax seal once applied to official documents. These wax seals were recognizable; if a message arrived with a missing or broken seal, it was not considered trustworthy.

Every dispatching email server has a two-part DKIM: the private DKIM key and a public key. Every receiving server accesses the public half of that key. The receiving email server performs a lookup in the DNS txt record when you send your email message.

If that email server finds your public DKIM key, it opens the DKIM signature. If the signature in the message matches the signature you published in your DNS, the receiving email server considers that message valid. If not, that message bounces, which means it does not reach the intended receiver's inbox.

Instead, it might not get delivered, go to the spam folder, or go to whatever other folder the user has set up to deal with such messages.

The correct format for DKIM records looks like this:

"<selector(s=)._domainkey.domain(d=)>.   TXT v=DKIM1; p=\<public key>"

Here is a sample DKIM public key in the correct format:

"dk5182-3458._domainkey.mydomainexample.com. IN TXT "v=DKIM1\;p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC1TaNgLlSyQMNWVLNLvyY/neDgaL2oqQE8T5illKqCgDtFHc8eHVAU+nlcaGmrKmDMw9dbgiGk1ocgZ56NR4ycfUHwQhvQPMUZw0cveel/8EAGoi/UyPmqfcPibytH81NFtTMAxUeM4Op8A6iHkvAMj5qLf4YRNsTkKAV;""

What does each part of a DKIM record do?

In this example, dk5182-3458 represents the selector (s=). The (d=) represents the specified domain, mydomainexample.com. The version must always appear as "v=DKIM1'' in every DKIM record. The "p" mechanism represents the public code, a string of letters, numbers, and symbols.

What Is DMARC?

DMARC stands for Domain-based Message Authentication, Reporting & Conformance. DMARC prevents malicious activity by blocking messages from spoofers before they reach your inbox. Spoofers pretend to represent you to glean the information they can use for ID theft or other types of fraud.

When you use DMARC, you slam the door shut on these attempted intrusions. DMARC uses open-source, free-to-use code. However, your email service provider must also use DMARC protection. DMARC provides a third layer of protection after SPF and DKIM.

DMARC allows you to tell your email service provider whether to reject or quarantine emails from untrustworthy or unknown sources based on information received after DKIM and SPF queries.

SPF record parts

A correctly formatted SPF record is a text file (TXT) containing two vital elements. First, the record must include the SPF version. Second, the rest of the record consists of the mechanisms required to verify which host names and IP addresses are authorized to send messages from your domain.

An example of an SPF record in an email authentication statement might look like this:

"v=spf1 a MX include:spf.yourbusinessdomainname.com ~all"

The v=spf1 statement tells the receiving email server that this TXT record is a sender policy framework record. The "a'' mechanism tells that server to match the sender's IP address to the "a" tool of the "from" domain before allowing the entire message to download. The MX mechanism refers to the mail exchange server or "host" you use to store your email messages, such as Google Workspace or Microsoft 365 Business Premium. Finally, the "include" mechanism specifies that the example SPF domain, yourbusinessdomainname.com, has the right to send your company's emails.

Important points to remember:

  • The statement v=spf1 is the first tag and must ALWAYS appear at the beginning of your SPF record.
  • The "a" statement must match the "from" record.
  • Your MX is the mail exchange service you use.
  • Every domain authorized to send your business emails must appear in the "include" statement, including any third-party email services, such as Mailchimp, that you use.
  • Include every IP address your company email comes from in your SPF mechanism.

How to create an SPF record

For best results, create your SPF record syntax as a TXT file before you upload it, rather than creating it on your DNS server's dashboard. That way, you can scrutinize it for format errors before testing it.

Follow these steps to create and implement your SPF record:

  1. First, open your domain provider's dashboard.
  2. Go to Settings.
  3. Create your SPF record as a TXT entry.
  4. Add it to your DNS settings.
  5. Test the changes.

Any changes to your existing SPF record may take up to 48 hours, so be patient. Then, test your changes again after those two days have passed.

If you only send email from Google Workspace, for example, your SPF record would look like this:

"v=spf1 include:_spf.google.com ~all"

However, if you have additional email service providers, you always need a separate "include:" statement for each one. Consequently, if you also use Mailchimp's Mandrill to send messages, you add "include:mandrillapp.com" after the Google statement and before the ~all element. Thus, your new SPF will look like this:

"v=spf1 include:_spf.google.com include:mandrillapp.com ~all"

Here, you would replace "domainkey.example.com" with your company's domain name.

Protect your business with SPF records

Bad actors such as disgruntled or former employees, spammers, and scammers can ruin your company's reputation by sending fake emails from your company if you do not take steps to secure your communications. SPF authentication gives your customers and contacts a way to verify that a message came from you.

While it does not encrypt the message's contents, SPF provides the first line of defense against spoofers. For total security against cyber attacks via email, you should also use DKIM (DomainKeys Identified Mail) and DMARC (Domain-based Message Authentication, Reporting & Conformance).

If you find creating and adding SPF records to your DNS burdensome to do yourself, you can rely on Mailchimp to set up and test your SPF authentication and domain authentication for you.

Key Takeaways

  • SPF records act as security guards for your email domain, telling recipient servers which sources are authorized to send messages on your behalf.
  • While SPF provides basic protection, combining it with DKIM and DMARC creates a comprehensive security system that significantly reduces email spoofing and phishing attacks.
  • Properly configured SPF records improve email deliverability, protect your brand reputation, and build recipient trust by verifying that your emails are legitimate.
  • Despite the security benefits, SPF records are relatively simple to implement. They're just a single line of text code added to your domain's DNS settings.

Related Topics

Share This Article