Sender Policy Framework (SPF) is an email authentication protocol that allows the owner of a domain to specify which mail servers they use when sending email from that domain. Brands sending email publish SPF records in the Domain Name System (DNS) and list which IP addresses are authorized to send email on behalf of their domains. Publishing an SPF record in DNS helps to prevent sender address forgery.
During an SPF check, mailbox providers verify the SPF record by looking up the domain name listed in the Mail From (MFrom) in the DNS. If the IP address sending email on behalf of the the MFrom domain is not listed in that SPF record, the message fails SPF authentication.
Senders should care about SPF because an SPF-protected domain helps computers recognize the difference between forged and legitimate email.
However, there are a few SPF shortcomings to be aware of, including:
- SPF records are challenging to keep updated as brands change service providers and add mail streams.
- Few mailbox providers reject mail based on an SPF failure alone.
- SPF breaks when a message is forwarded.
- SPF does nothing to protect brands against cybercriminals who spoof the display name or friendly-from address in their message, which is the address most visible to the email recipient.