SPF, or sender policy framework is a non-commercial open standard designed to help IT administrators reduce inbound spam to their users and help prevent their domain being spoofed by spammers or phishers.

SPF works by allowing domain owners to publish via TXT DNS records to the internet which IP’s, hostnames and servers are authorised to send email from that domain. The idea being that the receiving mail server will check the DNS records for the domain claiming to be sending the email to ensure the source IP which an inbound email originated from IS authorised to send email on behalf of that domain.

A typical SPF record assuming the inbound and outbound mail servers shared the same IP would look as follows:-

“v=spf1 a mx –all”

  • A – the A record of the domain e.g usually the web server.
  • MX – any of the MX records for the domain e.g the servers which accept inbound email for this domain.

In the example of emailmanual.co.uk this means that the following IPs and hosts would be allowed to send email for this domain:-

  • A – 146.101.148.154
  • MX – mail.emailmanual.co.uk and mail10.emailmanual.co.uk – 146.101.148.129 and 146.101.148.154

SPF also allows for an administrator to define during implementation through the use of switches how harshly email which fails the SPF check should be treated.

The different types of SPF switch:

  • ?all – Indicates that this domain is testing SPF and that the record should be ignored for the most part.
  • ~all – Indicates that the domain has published its SPF record and if an email fails the SPF check for this domain it should be treated as a softfail.
  • -all – Indicates that the domain has published its SPF record and if an email fails the SPF check for this domain it should be treated as a hardfail.

It is at the receiving domain administrators discretion what they do with the email which fails the SPF check and different types of failure can be treated in different ways. Mail administrators may choose to:

  1. Bounce all email that fails the SPF check
  2. Bounce email that hard fails and quarantine email that softfails
  3. Mark email that fails whether hard or soft failures as spam but deliver them.
  4. Any combination of the above.

This is part of the EmailManual series on SPF, coming soon:-