SPF (Sender Policy Framework)
SPF stands for Sender Policy Framework. It is an authentication protocol which, when used allows senders to specify which IP addresses are authorized to send emails on behalf of a particular domain. To ensure that your customers and your brand are protected from phishing and spoofing attacks, you need to authenticate your email with a SPF record.
Here’s how it works
During an SPF check, email providers quickly verify the SPF record by looking up the domain name included in the “envelope from” address in the DNS, before delivering an email. In case the IP address sending email on behalf of this domain isn’t mentioned in the SPF record, the message will fail the SPF authentication.
Therefore, the one sending emails, must publish SPF records in the DNS in order to list which IP addresses are authorized to send emails.
Creating a SPF Record
- Make a list of IP Addresses: Create a list of IP Addresses you would be using to send emails from your domain.
- Make a list of sending domains: It is important that you create SPF record for all domains that you control, irrespective of whether you are sending emails from that domain or not. This protects all your domains from being spoofed.
- Create your SPF record:
- Start with v=spf1 (version 1) tag and follow it with the IP addresses that are authorized to send mail. For example, v=spf1 ip4:220.127.116.11 ip4:18.104.22.168
- If you use a third party email service provider like Pepipost to send emails on behalf of your business domain, you must add an “include” statement in your SPF record E.g. v=spf1 include:pepipost.com to designate Pepipost as a legitimate sender.
- Once you have added all authorized IP addresses and include statements, end your record with an ~all or -all tag.
- Publish your SPF record to your DNS: To publish your SPF record, you need to be able to edit the DNS zone file on your hosting service. Hosting service providers like GoDaddy or BlueHost make it fairly easy to update DNS records.
Advantages of creating SPF Record
- Your sending IP Address is less likely to be blacklisted
- Your domain is less attractive to fraudsters which protects you from phishing and domain spoofing attacks
However, there could be a few drawbacks
- If a message fails the SPF authentication, it does not necessarily mean that the message will be blocked
- SPF does not protect the “header from” address from being spoofed by cybercriminals
- If the email is forwarded, the SPF can break