SPF Explained
What is SPF?
SPF (Sender Policy Framework) is a tool for domain owners to specify valid email senders for their domain. For example, you may own company.com and send email from various services like Google Workspace, Mailchimp, and Salesforce. By publishing an SPF record on your DNS, you can specify those services, and only those services to send email on behalf of company.com. Any email sent from an unauthorized service will fail SPF checks, helping to prevent email spoofing and phishing attacks.
SPF Record
SPF records are published as TXT records at the root of your domain. (e.g.
TXT mycompany.com). An example SPF record might look like this:v=spf1 include:_spf.google.com include:servers.mcsv.net include:salesforce.com ip4:1.2.3.4/24 ~all
| Mechanism | Value | Description |
|---|---|---|
| include | _spf.google.com | Includes the SPF record of _spf.google.com. The result of the included record determines the outcome. This performs a DNS lookup. |
| include | servers.mcsv.net | Includes the SPF record of servers.mcsv.net. The result of the included record determines the outcome. This performs a DNS lookup. |
| include | salesforce.com | Includes the SPF record of salesforce.com. The result of the included record determines the outcome. This performs a DNS lookup. |
| ip4 | 1.2.3.4/24 | IPv4: Authorizes the IPv4 address or range 1.2.3.4 with CIDR notation /24. |
| ~all | - | All: Soft Fail (accept but mark, fails dmarc) - Matches all IP addresses not matched by previous mechanisms. This should be the last mechanism in your SPF record. |
So the above policy says "emails can be sent from Google Workspace, Mailchimp, and Salesforce. Any other sender should be rejected."
The final mechanism of an SPF record should be either
-all (fail) or ~all (soft fail). This tells receiving mail servers how to handle emails that don't match any of the mechanisms in the record.There are other possible mechanisms and modifiers in SPF records, but the ones shown are most common. For more, checkout the RFC.
How SPF Works
- Sending Email: First, a server (1.2.3.4) sends an email on behalf of "user@company.com".
- Receiving Server Checks SPF: The receiving server then looks up the SPF record for company.com.
- SPF Evaluation: The receiving server checks if the sending server's IP address is authorized by the SPF record
- Accept or Reject Email: If the IP address is authorized, the email is accepted; otherwise, it fails SPF checks
Limitations of SPF
While SPF is a powerful tool for email authentication, it does have some limitations:
- Forwarding Issues: SPF can break when emails are forwarded through services that don't preserve the original sender information.
- DNS Lookup Limits: SPF records are limited to 10 DNS lookups. Complex records that exceed this limit may fail SPF checks. There are tools available to help optimize SPF records to stay within this limit.
- Only Checks Envelope From: SPF only verifies the "envelope from" address used during SMTP, not the "From:" header seen by users. This can allow spoofing of the visible sender address. DMARC helps with this.
Due to these limitations, SPF is often used in conjunction with DKIM and DMARC to provide a more comprehensive email authentication solution.