Sender Policy Framework: What’s it all about?
You may be forgiven for thinking that SPF stands for Sun Protection Factor, how we measure the strength of our sun screen, but it’s not what we’re referring to this time I’m afraid.
SPF: Sender Policy Framework. This is an email authentication method that helps identify any email servers that are permitted to send email from a specific domain. By using this validation tool, Internet Service Providers (ISPs) can determine when phishers or spammers are creating fake emails and sending malicious emails from your domain.
Unfortunately, spamming is a common occurrence as fake emails are sent repeatedly and attempt to obtain personal information.
The most common type of email that is plagued by spam is transactional email. Spammers tend to rely on existing relationships being in place, in an attempt to sabotage that, and take advantage of the email recipient. For example, emails that ask a user to confirm an account, reset a password or log into the site to correct a problem, are all types of emails that are susceptible to hacking attempts.
For this reason, you must authenticate your email domain by using all the available tools to prevent any email attacks. Hello SPF.
How it works
SPF is an open standard that protects the email sender. The sender uses path registration (for example, Return Path) and validates by mapping the IP address to the registered domain name in the MAIL FROM Return and/or the HELO/EHLO SMTP command.
You must register a SPF record (or TXT record) using the v=spf1 parameter in the DNS that contains your IP addresses for each mail server that is authorised to send your messages. ISPs then use the DNS to verify the source and make filtering decisions. If the DNS record passes, then your email can be delivered (if the email is not delivered, it will be for another reason, and not because of SPF failure).
Not all email senders use SPF authentication, but any email receivers that reject the mail based on SPF failure will reject delivery.
SPF can be confusing to get your head around if you aren’t a technological person. Here are 3 tools to help validate your records:
This site allows you to check if your domain name has been SPF authenticated.
This site gives you everything you need to know about SPF authentication. It will help you understand what it means in more detail, and gives examples of how you can use SPF for your domain.
- Google’s SPF Check
This service is only available for Google Message Security customers, but it is a resource for checking SPF by both sender and recipient domain.
Malicious email can affect your business and your personal life if any of your details are stolen. SPF does not claim to be the one thing that stops spammers from trying to hack your domain; instead it acts as a deterrent and will make you less vulnerable to attacks.
When SPF authentication is used alongside another form of verification, such as DMARC for example, it will provide you with an extra level of protection which supports you and your users by helping ISPs define your email domain and those who send spam.
For more helpful articles from our Knowledge Base, click here.