chat
expand_more
Glossary

Sender Policy Framework (SPF): How It Works, What It Looks Like, and How To Create One

Sender Policy Framework (SPF) is an email authentication protocol that helps verify an email’s true sender. Receiving servers use SPF to check that an email comes from a server approved by the purported sending domain.

SPF is a vital part of email security. It allows domain owners to prevent domain spoofing and protect their reputation. Without SPF in place, recipients cannot authenticate if an incoming email claiming a domain origin is, in fact, from that domain.

Domain owners can use DMARC to require that messages from their domain pass SPF before delivery. In other words, you can use it to prevent scammers from impersonating your domain. It also helps prevent your emails from getting the dreaded spam label.

Read on to learn how SPF works, why it matters, what an SPF record looks like, how to create and validate one, and more.

What Is an SPF Record? What Does It Do?

An SPF record is a DNS TXT record listing authorized email servers allowed to send emails from a specified domain. It’s published in the DNS.

Receiving servers use SPF to verify that an incoming email is actually from your domain, rather than a spoofed impersonation. Without SPF authentication, receiving servers can’t verify whether an email is legitimate and actually from your domain.

SPF also helps improve your email deliverability. With an SPF record in place, spammers can’t use your domain for email scams, meaning your emails are less likely to be marked as spam or junk. Email servers may reject your domain’s emails if SPF isn’t present since they can’t authenticate that it’s actually from your domain.

Once an SPF is in place, Domain owners can (and should) add a DMARC record to the DNS. This gives receiving servers instructions on what to do with mail that appears to come from your domain but doesn’t pass SPF.

What an SPF Record Looks Like

An SPF record is a list of all IP addresses authorized to send emails on behalf of your domain. It uses tags to specify IP addresses, rules, and more.

There are several tags you can use:

  • v: The protocol version–in this case, it’s v=spf1.

  • ip4 and ip6: The IPv4 and IPv6 addresses that can send email from the domain.

  • include: Any additional domains or subdomains, if you use them to send emails or if you have a third-party email service. For example, if you send emails from IP addresses within samplesubdomain.com, add include:samplesubdomain.com in the SPF record.

  • all: Every SPF record tag must end with some form of all, which instructs what recipients should do if the SPF record does not match. These include -all (if it doesn’t match the record, reject it), ~all (it’s marked as suspicious), ?all (recipient decides).

Here’s an example of a basic SPF record: 

v=spf1 ip4:1.2.3.4 ip4:2.3.4.5 include:samplesubdomain.com ~all

In this example, two IP addresses are verified: 1.2.3.4 and 2.3.4.5. All entries from samplesubdomain.com are also verified to send emails from the domain. Lastly, ~all means any emails that aren’t from a server verified in the SPF record will be marked accordingly.

How Does SPF Work?

The quick version: Recipient servers verify SPF by checking for a TXT record in the sender’s DNS, using the Return-Path in the email headers. If SPF is in use, the server compares the IP address sending the email to the authorized IP addresses in the SPF record. If the IP address is on the list, the mail is delivered. If not, the mail is treated as specified by the DNS record (rejected, sent but suspicious, sent, or decided by the recipient).

Why Is SPF Important?

There are three reasons why SPFs are crucial to email security.

  1. It prevents spammers and cybercriminals from spoofing your domain.

  2. It protects your domain’s reputation.

  3. It improves your domain’s email deliverability rate.

By using an SPF record, you’re making it harder for spammers and cybercriminals to send malicious emails. These emails are, at best, annoying junk and, at worst, dangerous phishing and ransomware attempts.

How To Create and Validate an SPF Record

First, you’ll need all IP addresses that your domain uses to send emails. This includes:

  • Your ESP like Gmail or Outlook

  • Any subdomains

  • Third-party mail servers like Mailchimp

Second, you’ll need to establish rules for your SPF record to adhere to. List the IP addresses, the third-party servers and subdomains, and your preferred all tag.

Once you’ve got an SPF record, you can publish it into your DNS. Keep in mind: SPF records can’t exceed 10 tags or 255 characters.

Finally, you can test and validate your SPF record with a record checker. There are plenty of free tools available on Google. They can check that your SPF exists, doesn’t exceed lookup limits, and has real IP addresses.

Get the Latest Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.

Tools

Quiz: Can You Replace Your SEG?

Learn More
Tools

CISO Resource Kit for Generative AI

Learn More
Tools

Quiz: Human or ChatGPT?

Learn More
Tools

ROI Calculator: Discover Your Abnormal Return on Investment

Learn More
Tools

10 Considerations to Shape Your Cloud Email Security Strategy

Learn More
Tools

CISO Resource Kit

Learn More

Get AI Protection for Your Human Interactions

Protect your organization from socially-engineered email attacks that target human behavior.
Request a Demo