What is SPF?
SPF stands for “Sender Policy Framework,” and it is simply a whitelist of IP addresses that you have allowed to send email on behalf of your domain. It is saved in the form of a DNS TXT file (see “what is DNS”). It was developed in the early 2000’s as an anti-spam protocol to stop phishing emails.
Here’s an example of how it works: You have a company website, example.com. You send email from [email protected] using the Email Service provider (ESP) SendGrid to send your marketing messages and transactional emails to your customers automatically. So in order to stop people from sending email that looks like it’s from you, you set your SPF record (for example.com) to include SendGrid. This adds SendGrid’s mail server IPs to your authorized IP list (your SPF record).
Now, when Sendgrid sends out your next marketing blast to your customer mailing list, the Internet Service Providers (ISP) that provide the inboxes to your customers will check to see if the mail server that sent the email is included in your SPF record. Basically- is that mail server on the list (i.e.- allowed to send email from you) or not?
It does get more complicated as you add more and more senders that are authorized to send email for your domain. For example, the number of “look-ups,” or includes, is limited to 10, and staying under that limit can be tricky. Many email service providers rely on nested includes that count against your limit. In practical terms, this means that you can usually only include 2-3 providers before SPF Compression is required. In addition, some emails get forwarded through other mail servers which breaks the SPF authentication process. That’s why SPF is only part of the solution for email authentication. To learn more about the other protocols, including DKIM and DMARC, check out the other info pages.
The Structure of an SPF Record
A domain’s SPF record is saved in its DNS as a TXT file. All SPF records should have these parts:
- “v=SPF1”: This is SPF version 1.
- The version number is followed by a list of approved IP addresses and/or a list of “includes.” Includes trigger a DNS lookup, and SPF records are allowed to have 10 DNS lookups. If a record goes over the limit, the record is invalid. For more information about SPF lookup limits, see our post on SPF lookup limits. Fraudmarc can help with this by using SPF Compression.
- The last part of the record is the “all term,” which determines what to do with an email sent from an IP address that isn’t listed within the policy.
- Restrictive (-all): the SPF record is restricted to only the IPs listed. All others are rejected.
- Soft fail (~all): Unlisted IPs are not approved but may be temporarily allowed. The email may be delivered to the spam folder.
- Permissive (?all): the domain may not be configured correctly, so the owner will allow any additional IP to be approved. Companies should not use this.
- Inclusive (+all): all IPs are approved—literally any IP address can send from a domain with +all. No one should use +all.
Multiple SPF Records
Each domain can have only one SPF record. If a domain has created more than one, all records will be invalidated. For more information about multiple records, see our post on multiple SPF records.