Sender Policy Framework (SPF)

We live in a digital age where potential customers across the world are an email away. A powerful communication tool that opens previously inaccessible doors. However, email also carries potential dangers such as spam, email spoofing, and phishing. These are malicious methods used to exploit mail. Read about them in our Email Spoofing Explained blog post.

To prevent potentially fraudulent mail, clever coding is implemented on email servers in the form of the Sender Policy Framework (SPF). In simple terms, SPF is an email validation system. It allows receiving email servers to check all incoming mail from a domain.  Authorised domains pass the SPF check and move to your inbox. Email from unauthorised domains will either go to the spam folder, or get bounced.

Basics of SPF

The main reason email communication is vulnerable is due to two ‘from’ addresses each email carries. We have the standard From Address that appears in your email – servers mostly ignore it. The second is the hidden return-path which is the true ‘from’ address.

These email addresses can be different from each other, and both can be forged. This is done using an email sending program, as well as a Simple Mail Transfer Protocol (SMTP) server.

 How SPF works

An SPF record is a piece of code that is set in the DNS zone by a domain owner. The record keeps a list of all mail servers and domains used to send and receive emails. The sending server is checked against the list, validating the Return-Path’s domain rather than the From Address.

When the return-path domain address does not match the ‘from’ address domain, the record cycles through all valid domains in the list. If none match the return-path, the message is dealt with according to the ISP. For more information on SPF, read our guide to the Sender Policy Framework.

 Using SPFs

SPFs are useful to businesses that have multiple email accounts. Rather than sending mail from different accounts, one ‘from’ address can represent a business.

For example, Joe uses his personal email to send his monthly newsletter but does not want his customers to have his personal email. He then sends from his personal address but sets the From Address to be his business. Receiving servers check that either one of his sending domains is approved. The email’s original code will be as follows:


From Address:

A similar strategy is employed by businesses such as Apple. They keep a generic email address for their ‘from’ address while setting up a specific, but hidden, return-path. Both are approved for sending and receiving mail.

Unfortunately, email spoofers use this same strategy to make their fake email seem to come from a valid address. Thankfully SPF works in conjunction with other security checks, such as DMARC and DKIM, to weed out the spoofers and identify faked email ‘from’ addresses.

While SPF is not all encompassing, it does cut down misuse of the return-path. Most email hosts and ISPs, such as Gmail and Outlook, support SPF records. These also improve the reputation of sending servers, ensuring mail deliverability is higher, and legitimate emails are not marked as spam.

Translate »