DMARC Manager

English

Español
Deutsch
Français
Italiano
한국어
日本語
Português (BR)
繁體中文

English

Español
Deutsch
Français
Italiano
한국어
日本語
Português (BR)
繁體中文

SPF Overview

Welcome to the SPF documentation section. Here you'll find comprehensive information about Sender Policy Framework (SPF), a protocol that allows domain owners to specify which servers are authorized to send emails on their behalf.

What is SPF?

SPF allows a domain owner to publicly declare which servers or IP addresses may send emails on its behalf. For example, if a domain owner uses one application to send its notification emails and another to send its marketing emails, it would need to include both of those services as its approved senders in its SPF record. An SPF record is a Domain Name System (DNS) text entry that specifies the authorized senders for a domain.

How Does SPF work?

When a server receives an email, it checks the SPF record of the sender's domain to see if the email originates from an authorized source.

If the sender's IP address matches one of the entries in the SPF record, the email passes the SPF check and is considered authentic. If the sender's IP address does not match any of the entries in the SPF record, the email fails the SPF check and is considered unauthentic.

The receiving server can then decide how to handle the email based on its DMARC policy, which can be to accept, quarantine, or reject the message.

Why is SPF Important?

SPF is important because it helps protect both email senders and receivers from fraudulent and malicious emails.

By using SPF, email senders can improve their reputation and deliverability, as well as reduce the risk of their domain being blacklisted or spoofed.

Email receivers can also benefit from SPF, as they can filter out unwanted and harmful emails, and ensure that they only receive messages from legitimate and trusted sources.

Limitations of SPF

There are a number of important limitations of SPF:

  • SPF only verifies the envelope sender, not the header sender. The envelope sender is the address that the email delivery system uses, while the header sender is the address that the email recipient sees. These two addresses can differ, and spammers can exploit this by using a valid envelope sender and a spoofed header sender. Therefore, SPF does not prevent phishing attacks that attempt to deceive the recipient with a fake header sender.

  • SPF does not protect against email forwarding. When a third party forwards an email, the original envelope sender remains unchanged, but the IP address of the forwarder is appended to the delivery path. This can cause the SPF verification to fail, even if the original sender is authorized. This can result in false positives, where authentic emails are marked as unauthentic and rejected or quarantined.

  • SPF does not encrypt or sign the email content. SPF only validates the source of the email, but it does not ensure the integrity or confidentiality of the email content. Spammers can still alter or tamper with the email content, or intercept and read the email in transit. Therefore, SPF does not prevent content-based attacks, such as malware, ransomware, or data theft.

  • SPF comes with a limit of only 10 DNS SPF lookups per SPF record. If you are a domain owner and planning to add an SPF record to the DNS database, ensure that this limit is not exceeded, or else your SPF record check will fail.