SPF Email Authentication

Everything to Know About SPF for Email Security

What is SPF?

Sender Policy Framework (SPF) is an email authentication protocol that domain owners use to specify the email servers they send email from, making it harder for fraudsters to spoof sender information.

How Does SPF Authentication Work?

Email receivers who validate the authenticity of messages will query the DNS records associated with your sending domain to obtain a list of IP addresses you have explicitly authorized as valid sending systems. When email is sent from an IP that is not listed in your SPF record by someone who is not authorized to send on your domain’s behalf, SPF email protection allows the receiver to reject it.

Your customer doesn’t receive the email and your reputation and brand stays intact.

READ MORE

What Are Some of the Benefits of SPF?

SPF has been widely adopted by the world's major email providers for these reasons and more:

Only sending email servers specified will query the DNS records associated with your sending domain(s).

Once authenticated, email receivers will obtain a list of IP addresses that have been explicitly authorized as valid sending systems.

If the email is not validated, the receiver can reject it.

What Are Some Limitations of SPF?

While SPF allows domain owners to authenticate mail by specifying email servers they send email from, there are still a few elements of the entire equation missing:

A recipient system doesn't know how much reliance to place on SPF results.

There's no feedback mechanism from receivers to the email senders.  

Email domains authenticated are not easily visible due to being buried deep in the message headers.

FAQs

Before creating your SPF record, you need to know your web server; your in-office mail server (e.g., Microsoft Exchange); your ISP's mail server; your end users' home ISPs; and any other mail servers used.

SPF limits you to only 10 lookup mechanisms to help ensure that it doesn't time out–these include a, mx, ptr, exists, include, redirect. Unfortunately, anything over 10 will result in an error with the receiver (such as "PermError SPF", or Permanent Error). 

To limit your lookups, consider listing IP4 or IP6 notations so the receiver can avoid DNS lookups entirely. If you have more than that (such as terms included/redirected-to records that count toward that total), it may require you to remove some current mechanisms/lookups.

Before you put your SPF records in play, you should use an SPF testing tool to ensure it is valid. An example of a popular tool for testing and/or resolving any configuration issues is here:  https://www.openspf.org/Tools. Fortra also offers their own lookup tool for checking SPF before implementing it live here.

SPF vs. DKIM–Describing the Difference

It’s highly recommended to use both SPF and DKIM to protect your email domains from spoofing attacks and fraud while also increasing your email deliverability. Both SPF and DKIM are important email security standards designed to help prevent hackers from spoofing your domains for use in email attacks.

Learn more about how SPF and DKIM can work together to secure your email and protect your brand from impersonation attacks.  

READ THE BLOG

How Does SPF Work with Both DKIM & DMARC?

dmarc-spf-dkim-xsm

Together, SPF and DKIM provide an important framework to ensure email integrity by fighting spam, and preventing hackers from spoofing your domains or committing other types of fraud. As depicted in the image, DMARC acts as an overlay on this framework and adds three key elements:

  1. Identity alignment: Enables senders to specify how their email messages are authenticated and to make sure the end user receives the original email.
  2. Policy management: Enables senders to determine how to check the “From” field presented to a user and what to do upon failure
  3. Reporting: Provides senders an understanding of the actions performed under that policy.
Basically, DMARC is the only way for email senders to let recipients know the emails they're sending are truly from them.

How Does SPF Work with Microsoft Office 365?

If your Office 365 tenant uses a custom domain (e.g., yourcompany.com), or if you use any third parties to send a portion of your outgoing email, you’ll want to implement DMARC. Learn the role SPF plays in implementing DMARC for Microsoft 365.

HOW FORTRA FORTIFIES 365

Is Your SPF Record Configured Correctly?

Look up your SPF record to make sure it's right so it can fight (off spam and spoofs).

STOP SPOOFS WITH SPF