What is SPF (Sender Policy Framework)?

Updated at: Oct 01, 2019
By Gatefy

What is SPF

Fake sender addresses are a major threat to email security. If we talk about company emails, then the issue becomes even more disturbing.

We are 100% sure that no organization would like to know that there are people sending emails in the company's name, without authorization, and pretending to be employees and directors.

The Sender Policy Framework (SPF) works precisely on this issue: fighting against sender address forgery.

SPF is a solution for sender address forgery

So, to make it clear, SPF is a security mechanism, more precisely an authentication protocol, used to block criminals from sending emails on behalf of your company.

How SPF works

Basically, SPF allows you to determine which IP addresses can send emails from your domain. If an email provider identifies that an IP doesn’t match a particular domain, it should automatically stop the message.

As openspf.org explains: “SPFv1 allows the owner of a domain to specify their mail sending policy, e.g. which mail servers they use to send mail from their domain. The technology requires two sides to play together: (1) the domain owner publishes this information in an SPF record in the domain's DNS zone, and when someone else's mail server receives a message claiming to come from that domain, then (2) the receiving server can check whether the message complies with the domain's stated policy. If, e.g., the message comes from an unknown server, it can be considered a fake”.

Why you should use SPF

SPF continues to be an essential email protection mechanism to combat two types of threats:

Spam: preventing spammers from using your domain improperly.
Phishing: preventing criminals from impersonating people from your company to commit fraud and theft.

Envelope Sender Address X Header Sender Address

It’s important to know that an email has different kinds of sender addresses. One of them is called Envelope Sender Address while the other is called Header Sender Address.

The Envelope Sender Address, also known as return-path, is usually hidden from the end user and used by the mail server. On the other hand, the Header Sender Address is displayed to the user. It’s the field “Sender” or “From” that you can see when open your email program.

That said, SPF protects the Envelope Sender Address only. It means that:

• SPF doesn’t guarantee protection against spoofing the display name or “header from” address.
• Forwarded messages don’t have SPF protection.

SPF, DKIM and DMARC

Yes, as you can see, SPF isn’t a complete solution. And that’s not a problem. There are other solutions that work in combination with SPF to make your network even more secure, such as DKIM (DomainKeys Identified Mail) and DMARC (Domain-based Message Authentication Reporting & Conformance).