The Sender Policy Framework (SPF) is an email authentication technology that is used to prevent phishing attempts. It enables your organization to select who is authorized to send email on your domain’s behalf. This is useful because, in a typical phishing attack, the threat actor spoofs the sender address to make it appear to be an official business account or someone the victim knows.

What is SPF Record?

An SPF record published on Domain Name Service (DNS) servers informs recipient email servers that a message came from an authorized sender IP address or could be from a phishing attack. It’s an important part of email security since it allows administrators to prevent phishing emails from reaching their intended victims.

How does SPF work?

SPF creates a means for receiving mail servers to validate that incoming email from a domain was sent from an ip approved by the domain’s administration. It is based on the well-known Domain Name System (DNS). In general, the procedure goes as follows:

A domain administrator publishes the policy that specifies which mail servers are authorized to send email from that domain. This policy is known as an SPF record, and it is included in the domain’s overall DNS records.

When an inbound mail server receives an incoming email, it checks DNS for the bounce (Return-Path) domain’s rules. The inbound server then compares the mail sender’s IP address to the authorized IP addresses specified in the SPF record.

The receiving mail server then decides whether to accept, deny, or otherwise flag the email message based on the rules specified in the sending domain’s SPF record.

Why should you use SPF?

Prevent attacks: SPF records are used to prevent spammers from spoofing your domain name. Recipient servers can use the SPF record you publish in DNS to determine whether an email that they have received has come from an authorized server or not.

Improving email deliverability: Domains without a published SPF record may have their emails bounced or be marked as spam. This in turn will reduce the email deliverability percentage.

Creating SPF record:

• Start by defining the SPF version, this part defines the record as SPF. An SPF record always starts with the version number. v=spf1 (version 1) this tag defines the record as SPF.
• Follow the v=spf1 SPF version tag with all the IP addresses that your organization has authorized to send emails on your brand’s behalf. For example: v=spf1 ip4:xxx.xxx.xxx.xxx -all
  Note: The xxx.xxx.xxx.xxx must be replaced with your server’s IP address.
• The next step is including the tag for third-party organizations that are authorized to send emails on your organization’s behalf, for example, include:thirdpartydomain.com. (here, thirdpartydomain.com is a sample domain name). This tag’s relevance is that it will indicate all the third-party organizations that can send emails on behalf of your enterprise domain. To determine which domain you should use as the value of the include statement, consult with the third-party organization.
• End the record with an ~all, -all or +all tag after implementing all the include tags and IP addresses.
• The ~all tag will indicate a soft fail, whereas the -all tag signifies a hard fail.
• The all tag has the following basic markers:
  • -all Fail – servers that aren’t listed in the SPF record are not authorized to send email (not compliant emails will be rejected).
  • ~all Softfail – If the email is received from a server that isn’t listed, the email will be marked as a soft fail (emails will be accepted but marked).
  • +all – We strongly recommend not to use this option, this tag allows any server to send email from your domain.
• For domains that aren’t sending email, we recommend you to publish the following record v=spf1 -all

How to set SPF:

• Collect and list all the IP addresses and domains that are used for sending emails
• Build the SPF Record with different tags (SPF version, mechanisms, qualifiers) as mentioned above
• Publish the SPF record as DNS TXT
• Test The SPF validation using our free SPF record checker

Below are the SPF configuration settings for some of the authorized emailing platforms:

• Mailgun
• Microsoft Dynamics 365
• Google Workspace
• Mandrill 
• TrendMicro
• Shopify
• amazonSES
•  Mimecast
• Proofpoint
• Forcepoint-Websense
• Freshdesk
• Zoho
• Zendesk
• SAP SuccessFactors
• Zimbra
• Network Solutions
• Rackspace Cloud
• Bluehost
• HostMonster
• Hostinger
• MailRoute
• FastMail
• Oracle Dyn
• MailerLite
• KnowBe4
• Zoho Campaigns