anavem.
Back to Glossary
S

SPF (Sender Policy Framework)

SPF is an email authentication method that specifies which mail servers are authorized to send emails on behalf of a domain.

What is SPF?

Sender Policy Framework (SPF) is an email authentication protocol that allows a domain owner to declare which mail servers are permitted to send email using that domain. This information is published as a DNS TXT record. When an email is received, the recipient's mail server checks the SPF record of the sender's domain to determine whether the sending server is authorized.

Why SPF matters

SPF is important because it:

  • Helps prevent email spoofing
  • Reduces spam sent using forged domains
  • Improves email deliverability
  • Provides a basic layer of trust for inbound email
  • Is a foundational control in email security

Without SPF, any server can claim to send mail on behalf of a domain.

How SPF works

A simplified SPF validation process:

  1. An email is received from a sending IP address
  2. The recipient server looks up the sender domain's SPF record in DNS
  3. The IP is compared against authorized senders
  4. The SPF check results in pass, fail, softfail, neutral, or none
  5. The result is used by spam filters and DMARC policies

SPF checks are invisible to end users.

SPF records explained

SPF records are published as DNS TXT records and typically include:

  • Authorized IP addresses
  • Authorized third-party services
  • Include statements for delegated senders
  • A default policy for unauthorized senders

Example (simplified): v=spf1 ip4:203.0.113.10 include:_spf.mailprovider.com -all

The -all directive indicates a hard fail for unauthorized senders.

SPF vs DKIM vs DMARC

These mechanisms complement each other:

  • SPF: validates the sending server
  • DKIM: validates message integrity and signing domain
  • DMARC: enforces policy and alignment using SPF/DKIM

SPF alone is not sufficient to fully prevent spoofing.

SPF limitations

SPF has important limitations:

  • It checks the envelope sender, not always the visible From address
  • It can break with email forwarding
  • DNS lookup limits (10 lookups) can cause failures
  • It does not protect message content

Because of these limits, SPF should always be paired with DKIM and DMARC.

Best practices for SPF

Effective SPF deployment includes:

  • Publishing exactly one SPF record per domain
  • Using -all or ~all appropriately
  • Minimizing DNS lookups
  • Including all legitimate sending services
  • Regularly reviewing and updating records
  • Monitoring DMARC reports for SPF failures

Common misconceptions

  • "SPF blocks all spoofed emails"
  • "More SPF records increase security"
  • "SPF encrypts email"
  • "SPF works without DNS"