When you unlock your phone, the PIN or fingerprint authenticates your identity and communicates that you are the rightful device owner.
Similarly, when you send an email, the receiving email server checks if the received email is being sent from the proclaimed sender server.
But how do they authenticate the identity of the sender? This verification process is where the Sender Policy Framework (SPF) steps in. It filters out spammers from spamming, spoofing, and phishing email users. Beyond security, SPF also plays a pivotal role in authenticating emails, which not only optimizes delivery rates but also improves open and click-through rates.
So let's look into how the Sender Policy Framework (SPF) can help achieve that, its benefits and limitations.
What is an SPF record?
SPF, or Sender Policy Framework, is an email authentication method designed to specify which email servers are authorized to send emails on behalf of your domain.
It helps detect and prevent email spoofing and phishing attempts by verifying that incoming emails from your domain originate from legitimate sender servers. Email servers that receive messages from your domain use SPF records to confirm the authenticity of the sender's identity and prevent emails from compromised or unauthorized sources.
Use SPF record checker tool to ensure email domain's SPF record is correctly configured for email authentication. It validates syntax, checks compliance with specifications, tests email delivery, and identifies issues like exceeding DNS lookup limits.
Spammers started sending emails from relay servers, which caused the spam filters to detect whitelisted IPs and accept the emails.
To counter this, the anti-spam bodies conceptualized the SPF check.
How does SPF work?
SPF operates through a multi-step process to authenticate the origin of emails sent on behalf of a domain. Here’s how SPF works to secure your domain.
1. SPF record publication
Domain administrators publish an SPF record in their Domain Name System (DNS) records. This record specifies authorized email servers allowed to send emails on behalf of that domain.
This is what an SPF record would look like:
myntra.com IN TXT
v=spf1 include:_spf.google.com include:_spf1.myntra.com include:_spf-sfdc.successfactors.com include:amazonses.com include:spf.falconide.com include:mail.zendesk.com ip4:199.255.192.22 ip4:15.224.192.102/32 ip4:219.65.87.215 -all
You can include different ranges of IPs by using the 'include:' field in the record.
2. Receiving server verification
When an email is sent, the receiving email server checks the SPF record of the sender's domain. It retrieves the SPF record by querying the DNS servers of the sender's domain(the domain in the "from" address).
3. SPF record evaluation
The receiving server evaluates the IP address of the sending email server against the list of IP addresses authorized by the SPF record. If the sending server's IP address matches one of the authorized IP addresses or ranges, the email passes the SPF check.
The receiving email server evaluates the SPF record mechanisms, which can include:
ip4 or ip6: Specifies authorized IP addresses for sending emails.
a or mx: Permits the domain's A record (host address) or MX record (mail exchange server) to send emails.
include: Includes another domain's SPF record for authorization.
~all: Soft fail - Permitted sender, but treated with suspicion by some servers.
-all: Hard fail - Sender not authorized.
4. Authentication outcome
The SPF check will result in a pass or fail. If the sending server's IP address is listed in the SPF record of the sender's domain, the SPF check passes, indicating the email is likely legitimate. However, if the SPF check fails i.e. the IP address is not authorized, the email may be marked as suspicious or rejected by the receiving server.
5. Email delivery decision
Upon passing the SPF check, the receiving server proceeds with normal email delivery procedures. Conversely, if the SPF check fails, the receiving server may divert the email to the recipient's spam or junk folder or outright reject the email to mitigate potential security risks.
It is important to note that SPF complements other email authentication methods like DKIM and DMARC to enhance email security and prevent phishing attacks.
SPF record syntax
Check out the table that explains the syntax of valid SPF records:
| Mechanism | Description | Example |
|---|---|---|
| v | Version of SPF used, always v=spf1 | v=spf1 |
| ip4 | Specifies an IPv4 address or range allowed to send mail for the domain | ip4:192.0.2.0/24 |
| ip6 | Specifies an IPv6 address or range allowed to send mail for the domain | ip6:2001:db8::/32 |
| a | Permits the domain’s A or AAAA record to send mail | a |
| mx | Permits the domain’s MX record to send mail | mx |
| ptr | Permits the domain whose name is the PTR record to send mail (discouraged due to performance) | ptr |
| include | Includes the SPF record of another domain | include:example.com |
| all | Matches any address, usually used at the end of the record | all |
Qualifiers
Qualifiers in SPF records indicate how a receiving email server should interpret the results of SPF mechanisms. They provide guidance on whether to pass, fail, treat with suspicion, or consider neutral any SPF checks performed. These qualifiers include:
| Qualifier | Description | Example |
|---|---|---|
| + | Pass, the mechanism matches | +ip4:192.0.2.0/24 (implicit) |
| - | Fail, the mechanism matches (hard fail) | -all |
| ~ | Soft fail, the mechanism matches (usually treated as suspicious) | ~all |
| ? | Neutral, no policy or the mechanism matches (treated as non-authoritative) | ?all |
How to add SPF record
Now, let's walk through the steps to add an SPF record to your domain.
1. Get required information
Before you begin, ensure you have the necessary information, including:
The domain you are adding the SPF record to.
Your domain provider’s documentation or support information on adding DNS TXT records.
2. Sign in to the domain provider
Log in to your domain provider's management console and access the console where you manage your domain's DNS records.
3. Locate the DNS management page
Navigate to DNS settings and find the page where you can update DNS TXT records. This might be labelled as "DNS Management," "DNS Configuration," or something similar.
4. Add the SPF record
Add a New TXT Record:
- Type: Select or enter
TXTas the record type. - Host: Enter
@for the root domain or the subdomain if applicable. - Value: Enter the appropriate SPF record value. For Google Workspace, it is:
Example:
v=spf1 include:_spf.google.com ~all
- If you have other email senders, you may need to modify this value accordingly.
- TTL: Set this to
1 houror3600 seconds. If your domain provider does not allow you to change the TTL, use the default value.
5. Save the changes
Confirm and save the new SPF record. The changes may take up to 48 hours to propagate and start working.
6. Verify the record
Use an SPF record lookup tool to ensure the record has been added correctly.
How is SPF related to DKIM and DMARC?
SPF, DKIM, and DMARC are the best practices to authenticate your mail server and enhance email security. These spam protection methods are becoming more popular and might become a compulsory measure against junk emails someday. Not only that, but verifying your account with these methods will make you a legitimate sender in the eyes of the receiving server.
DKIM
DKIM ensures messages are not modified while travelling between the recipient and sending servers. SPF validates the sending server's legitimacy based on IP addresses, while DKIM verifies the integrity and authenticity of each individual message. Together, they offer robust protection against email spoofing and ensure that messages are trustworthy and unaltered.
DMARC
DMARC builds upon SPF and DKIM by providing a policy framework for email authentication and enforcement. It enables domain owners to set policies specifying how receiving mail servers should handle emails that fail SPF or DKIM checks. DMARC also includes reporting mechanisms that offer insights into email authentication results, helping domain owners monitor and protect their email domains from abuse.
How does SPF help in expanding your reach?
Spammers will try to send unwanted emails whenever they can take control of your domain. This will harm your credibility and damage your deliverability. You should make it a priority if you have not authenticated your domain. This is how SPF helps ensure that your deliverability is high:
Informs recipients of third-party
An SPF record will ensure that the end-user is intimated if spammers use a relay.
Easy entry to inboxes
When email receivers establish trust in your brand due to the use of SPF, your future emails will find a secure entry in their inboxes.
Mandatory for some recipients
Some email recipients strictly require the emails to have an SPF record. If it’s not present, the email automatically gets marked as spam. This might result in email bouncing.
Increases sender score
Sender Score is a score of every outgoing mail server using conventional email metrics such as unsubscribes and spam files. SPF helps increase your sender score and, in turn, helps email deliverability.
SPF does look like a one-stop solution for preventing email spoofing, spamming, and phishing, but you do want to look at some of its limitations.
Limitations of SPF
There are a few constraints of the SPF system. They are as follows:
Doesn't work on forwarded emails
Forwarded emails usually fail the sender policy framework test as they do not contain the original senders' information and appear to be spam messages.
Not regularly updated
Many domain administrators might not be able to update their SPF records regularly.
Have to update despite server change
Using third parties as email providers, the domain must update the SPF record even when the service provider changes its servers, which is extra work.
SPF for AMP email approval from email clients
If you want to reap the benefits of sending out interactive AMP emails, you will have to get whitelisted with Yahoo Mail, Gmail, and Mail.ru, which support AMP emails. For a whitelisting of your sender address, these email clients need SPF before approving your email address.
Conclusion
SPF protects the envelope sender and stops spammers from abusing mail systems to trick innocent users. Unfortunately, 1 in 6 emails gets sent to the spam or blocked from your subscribers' inbox altogether, leading to only 83% conversion.
Mailmodo will help you with 17%. Our email experts will help you get your security certifications done and improve your deliverability to yield the best results.
