SPF (Sender Policy Framework) is an email-validation system to prevent spammers from sending messages on behalf of your domain. With SPF an organisation can publish authorized mail servers. Together with the DMARC related information, this gives the receiver (or receiving systems) information on how trustworthy the origin of an email is.
SPF is, just like DMARC, a email authentication technique that uses DNS (Domain Name Service). This gives you, as an email sender, the ability to specify which email servers are permitted to send email on behalf of your domain.
SPF was mentioned for the first time in 2000. In the following years, the SPF specification developed in multiple drafts. Meanwhile the original name SPF (Sender Permitted From) changed to Sender Policy Framework.
An SPF working group of IETF tried to combine SPF and Microsoft’s CallerID proposal. A next attempt was made with the “classic” version of SPF. This lead to the first experimental RFC in 2006 and, eventually in 2014 the proposed standard SPF, familiar under RFC 7208 in 2014.
Nowadays email authentication techniques such as SPF have evolved and lead to techniques such as DKIM and DMARC. SPF still fulfills an important role to determine whether an email is DMARC Compliant.
DMARC Analyzer uses SPF, DKIM and DMARC.
An SPF record is a DNS record that has to be added to the DNS zone of your domain. In this SPF record you can specify which IP addresses and/or hostnames are authorized to send email from the specific domain.
The mail receiver will use the “envelope from” address of the mail (mostly the Return-Path header) to confirm that the sending IP address was allowed to do so. This will happen before receiving the body of the message. When the sending email server isn’t included in the SPF record from a specific domain the email from this server will be marked as suspicious and can be rejected by the email receiver.
SPF is a great technique to add authentication to your emails. However it has some limitations which you need to be aware of.
SPF is one of the authentication techniques on which DMARC is based. DMARC uses the result of the SPF checks and add a check on the alignment of the domains to determine its results.