What is SPF?

SPF  is the acronym for “Sender Policy Framework“.

We’re not talking about sunscreen here – we’re talking about SPF in a digital context. When the internet first began, it was built on a system of mutual trust. The concept of email was included under this trust umbrella – in other words, anybody could send a mail to anybody else, and everyone trusted that these people were who they said they were. It’s the same idea as putting a return name and address on a letter, and trusting that the mail is indeed from that sender.

As the internet grew and evolved, fraud unfortunately became more common, and this included email. People began impersonating other people via email in order to gain access to sensitive data like bank details and personal information. This highlighted the fundamental problems with email:

  1. When you receive a mail, there’s no way of knowing whether it actually came from person described in the “from” address.
  2. Related to this is that you don’t know if the mail you got is actually the one that was originally sent, or if it was intercepted on its journey by a third party.

In order to combat these two problems, global frameworks were created to combat email fraud. The first of these frameworks was called a Sender Policy Framework (SPF).

SPF is simply a list of servers that you authorise to send mail from your domain and this list is published on your DNS record. Through SPF, domain owners could now tell receiving servers which servers are allowed to send mail off their domain, and get around the first major email security problem mentioned above.

However, as promising as SPF was, it still presented a few issues when it came to authenticating email, as explained in this Return Path article:

  1. If you change mail service providers or add more channels through which mail is being sent, keeping your SPF records updated can be a challenge.
  2. If an email fails SPF, the receiving server may not block it, as it’s only one factor taken into account when performing authentication.
  3. SPF doesn’t work when an email is forwarded.
  4. Mail is still vulnerable if someone impersonates the display or from address in a message.

So, SPF alone wasn’t enough – which was why DKIM was then introduced, and later, DMARC, which sat on top of both of these to finally provide robust email security.

SPF Diagram


Actively Block 

Protect your email today. Contact us for a free one-month trial.