SPF (Sender Policy Framework) is an email authentication standard that helps detect forged sender addresses, protecting both senders and recipients from spam, spoofing, and phishing attempts.
Spammers and hackers might try to impersonate your domain and send email that looks like it’s coming from you, which could have a negative impact on your email security and overall domain reputation: when people receive fraudulent messages, they get annoyed, put them in the spam folder, et voilà—through no fault of your own, you’re now on a list of bad senders.
With SPF, you get to publish a list of mail servers and IP addresses you previously authorized to send messages using your domain. Whenever you send an email, the recipient’s mailserver can use the SPF information to double-check that the email originated from an authorized server. It’s a simple solution to send a trust signal to email providers, which in turn might help improve email deliverability.
Random fact: back in the ~2000, the acronym SPF stood for Sender Permitted From; it was changed to Sender Policy Framework in 2004. The same acronym can also stand for Sun Protection Factor, but that’s a whole other story ☀️
SPF and the Return-Path address #
Say you own the domain www.ilovepizza.com and want to send emails to your customers. Every message you send will technically have two addresses:
Your “header from,” which is the address your recipients will see in the “From” field of an email they receive from you. For example, that could be
customers@ilovepizza.com
Your “envelope from,” also known as your Return-Path, which is the address that bounces and other email feedback are sent to. If you were using Postmark (hi 👋) to send your email, you could customize this envelope-from domain to match your From domain (note: our recipients don't generally see the “envelope from,” unless they go and look inside the original message header).
The distinction between the two crucial because SPF is a way to detect forged envelope domains. Mailservers use the envelope/Return-Path domain to process bounces and other feedback, so the domain itself develops a strong reputation—which is why spoofers want to use it to give their mail legitimacy. SPF makes sure only authorized IPs can send from that domain.
What is an SPF record? #
An SPF record is a TXT record you add to your Domain Name System (DNS) that lists the IP addresses and third-party email senders you authorized to send email on your behalf.
Depending on your hosting provider, adding the SPF record might be as simple as navigating to your DNS settings and adding a string of text:
How to create an SPF record #
Back to our initial example: you own www.ilovepizza.com and are using Postmark to send transactional emails and marketing automation software like ActiveCampaign to send your promotional messages.
To publish your SPF record, you’d go to your hosting provider’s page and update the DNS setting over there with a string that could look somewhat like this example:
v=spf1 ip4:192.168.0.1 include:spf.mtasv.net include:emsd1.com ~all
The string follows this SPF syntax:
- v=spf1 indicates that this is an SPF record
- ipX: lists the IP address, addresses, or range that can send email on your behalf
- include: lists the third-party email senders (by domain) that are authorized to send email on your behalf (in this case, Postmark with spf.mtasv.net and ActiveCampaign with emsd1.com)
- ~all specifies that all incoming messages must match this rule
To test if it your implementation worked out, you’d take a look at your message headers (for example, in Gmail you’d click on ‘show original’) and see if your SPF check is a pass or fail:
How does SPF authentication work? #
The simplified version: you, the domain owner, list the IPs and sources authorized to send your mail in your SPF record. When a message is sent using your domain in the Return-Path address, the receiver can look up the authorized sending sources for that domain to ensure the sending IP is listed there.
The complete version:
There are quite a few steps to the process, but they are definitely too much for this page 😉 If you are curious and ready to go down an SPF rabbit hole, we wrote a whole guide to explain how SPF records work.
A frequently asked question (because authentication acronyms can be a lot)
#
What’s the difference between SPF, DKIM, and DMARC? #
SPF, DKIM, and DMARC are three email authentication systems that protect recipients from spammers, scammers, and spoofers pretending to be someone they are not and sending fraudulent mail.
SPF (Sender Policy Framework) is a domain-based way to determine what IPs are allowed to send email on somebody’s behalf
DKIM (Domain Keys Identified Mail) is a message-based signature that uses asymmetric cryptography to sign email and verify that a message was not altered in transit
DMARC (Domain-based Message Authentication, Reporting & Conformance) builds on top of SPF and DKIM and instructs receivers to approve, quarantine, or reject email messages.