What is an SPF Record?
SPF (Record) – A DNS record that is used to identify which mail servers are permitted to deliver email on behalf of your domain’s email address. (These can work with the DKIM records for authentification of email)
A Sender Policy Framework (SPF) record is a type of Domain Name System (DNS) record that can help to prevent email address forgery.
Spammers can falsify email headers so it looks like they’re sending from an email address at your domain. They can pretend to be you, allowing them to phish your users for private account information, or otherwise abuse your reputation. When they hijack an email account, they alter the email header details to show the messages they’re sending are coming from the true owner of the account. This can result in the account owner receiving replies and bouncebacks for mail they never sent.
Adding an SPF record can help prevent others from spoofing your domain. You can specify which mail servers are permitted to send an email on behalf of your domain. Then, when incoming mail servers receive email messages from your domain name, they compare the SPF record to the outgoing mail server information. If the information doesn’t match, they identify the email message as unauthorized, and will generally filter it as spam or reject it.
How it works:
Brands sending emails to publish SPF records in the Domain Name System (DNS). These records list which IP addresses are authorized to send an email on behalf of their domains.
During an SPF check, email providers verify the SPF record by looking up the domain name listed in the “envelope from” address in the DNS. If the IP address sending email on behalf of the “envelope from” domain isn’t listed in that SPF record, the message fails SPF authentication.
Brands sending email…list which IPs are authorized to send an email on behalf of their domains
Why it matters: An SPF-protected domain is less attractive to phishers, and is, therefore, less likely to be blacklisted by spam filters, ensuring legitimate email from that domain is delivered.
But SPF has a few major problems:
- Keeping SPF records updated as brands change service providers and add mail streams is difficult due to a lack of visibility.
- Just because a message fails SPF, doesn’t mean it will always be blocked from the inbox—it’s one of several factors email providers take into account.
- SPF breaks when a message is forwarded.
- SPF does nothing to protect brands against cybercriminals who spoof the display name or “header from” address in their message, which is the more frequently spoofed “from” address since it’s the address most visible to the email recipient.