What is an SPF Record?
A method of email authentication called SPF (Sender Policy Framework) is used to stop spammers from sending emails on your domain’s behalf. With the use of SPF, a company can list permitted mail servers. It provides the receiver/receiving systems with information on the originality of an email along with the DMARC information. SPF is a DNS-based email authentication method, similar to DMARC (Domain Name Service). You can use this to define which email servers are allowed to send emails on your domain’s behalf.
History of SPF
SPF was first referenced in 2000. The SPF specification saw several draughts during the ensuing years. In the interim, “Sender Policy Framework” has replaced the previous moniker “Sender Permitted From”.
Microsoft’s CallerID proposal and SPF were once combined by an IETF SPF working group. The “classic” variant of SPF was used in their subsequent effort. This resulted in the creation of the first experimental RFC in 2006 and the proposed standard SPF, known as RFC 7208 in 2014.
These days, email authentication methods have developed, giving rise to methods like DKIM and DMARC. SPF, however, continues to play a crucial role in determining if an email is DMARC compliant.
Examples of Standard SPF records:
“abc.com” IN TXT “v=spf1 mx a:abc.com ~all”
“abc.com” IN TXT “v=spf1 ip4: mx mx:abc.com a: -all”
SPF in practice
A DNS record called an SPF record needs to be added to your domain’s DNS zone. You can specify which IP addresses and/or hostnames are permitted to send email from the particular domain in this SPF record.
The “envelope from” address of the mail will be used by the mail recipient to verify that the sending IP address was authorised to send the email (often the Return-Path header). This will take place before the message’s body is received. Email from this server will be flagged as suspicious when a specified domain does not contain the sending email server. The email server will eventually reject it.
What SPF doesn't do
- it does not validate the “From” header. Most clients include the header as the actual sender of the message. SPF does not validate the “header from”, but uses the “envelope from” to determine the sending domain
- SPF will break when you forward an email. At this point, the ‘forwarder’ becomes the new ‘sender’ of the message and will fail the SPF checks performed by the new destination.
- lacks reporting which makes it harder to maintain
SPF and DMARC
SPF is one of the authentication techniques on which DMARC is based. DMARC uses the result of the SPF checks and adds a check on the alignment of the domains to determine its results.