Email is the biggest online communication medium, with over 4 billion users worldwide. Its immense popularity also makes it the biggest target of malicious actors, like spammers, hackers, and identity thieves. They often attempt to impersonate established brands to trick unsuspecting customers into giving them money or sensitive information. Fortunately, brands can use email authentication methods to prevent impersonation, and the Sender Policy Framework (SPF) is one such method.
This article will explain how SPF works, its importance, limitations, and how to add the SPF record for your domain.
What Is SPF?
It is a technique through which email servers authenticate the sender’s identity. It helps mail servers verify the identity of an email sender and ensure they are not being impersonated.
SPF traces its history back to the early 1990s when researchers and computer scientists sought to develop a new method of preventing malicious actors from impersonating email senders. The project then stalled for quite a while, but the Internet Engineering Task Force (IETF) finally published the SPF protocol in April 2014.
How Does SPF Work?
Imagine you’re an online retailer delivering goods to your customers via two couriers: UPS and FedEx. After a customer confirms their order, you leave a note stating that UPS and FedEx are the only courier companies authorized to deliver your products to their doorstep. When a courier gets to the customer’s house claiming to have their item, the customer checks if it’s either UPS or FedEx. If it’s another courier not authorized by you, the customer is immediately aware that something is off.
This is basically how SPF works for emails. It uses a dedicated Domain Name System (DNS) record to verify sender identity. You can control the DNS records for your domain via its registrar. Virtually every registrar provides a dashboard to add, edit or remove DNS records for your domain.
SPF record specifies all the IP addresses of mail servers authorized to send messages on behalf of your domain. When a recipient's mail server gets a message, it will try to look up an SPF record for the sending domain to check if the email comes from an authorized IP address. If the message doesn’t come from an authorized IP address, it is assumed suspicious.
Importance of SPF
SPF is a protocol that helps keep the global email system secure. Without SPF and other related methods, email would be a wild, wild west full of impersonation, theft, spam, and other unscrupulous activities. Such activities still exist in the email system today, but it’ll be much worse without SPF and other email authentication protocols.
SPF records allow domain name owners to specify the list of mail servers allowed to send messages from their domain. Receiving servers can easily consult the DNS to see if a message purportedly coming from your domain actually comes from you.
With a proper SPF record, even if someone spoofs your domain name and messages a customer, the receiving party can detect that the message comes from an impersonator and take the desired action.
If you don’t have SPF records, email clients will be unsure of your identity and may even flag or reject legitimate messages from your domain.
Like all things, SPF isn’t perfect. It’s a straightforward way to confirm your identity and ensure someone is not impersonating you. It helps prevent spammers and hackers from impersonating your brand but doesn’t eliminate all possible issues.
SPF can be problematic in some cases. Organizations using SPF must ensure their records are valid and up-to-date, which can be challenging, especially when they change their email service providers (ESPs).
To better secure emails, you should combine SPF with DKIM and DMARC, two other popular email authentication techniques.
DKIM stands for DomainKeys Identified Mail. It uses digital keys to sign emails. You first create a cryptographic public/private key pair. Then, you'll place the public key as a TXT entry in your DNS records. Whenever you send an email, your server generates and attaches a unique digital signature. The recipient's server will use your public key to verify the signature. If everything’s ok, the recipient’s server considers the message authentic.
However, if the check fails, the receiving server considers the message inauthentic and flags or discards it.
DMARC stands for Domain-based Message Authentication, Reporting and Conformance. DMARC is not an email security protocol per se. Instead, DMARC policies allow you to specify what exactly should happen if a message is deemed inauthentic by the SPF or DKIM checks.
Your DMARC records instruct the recipient's servers on the next steps to take if they detect a suspicious email claiming to come from you. You have three options:
- Do nothing: Let the suspicious email in, but report to the domain’s owner about the event.
- Quarantine: Allow the message to go through, but notify the recipient that it is suspicious.
- Reject: Block the messages from entering the recipient’s server.
You can observe that SPF alone does not wholly secure your emails. However, combining SPF with DKIM and DMARC helps you safeguard your email identity more effectively. These three protocols work together to prevent malicious actors from impersonating your domain and stealing money or sensitive information from your customers.
How Do I Create and Check My SPF Records?
Here’s an SPF record for an example domain myschoolsupplies.co, explained in detail below:
- v=spf1 ip4:220.127.116.11 include:spf.unione.io a:myschoolsupplies.co ~all
Let’s interpret this SPF record:
- v=spf1 refers to Version 1 of SPF, the current version of the protocol.
- 18.104.22.168 is the IPv4 address of the company’s own mail server.
- include:spf.unione.io is a third-party tag for UniOne; the company
myschoolsupplies.co uses this ESP to send email campaigns to its customers. It refers to UniOne's own record listing its mail servers currently in use.
- myschoolsupplies.co is our sender domain name.
- ~all instructs the receiving server to softfail (that is, tag as suspicious) anything that does not match this record.
The above instruction means the receiving server should raise suspicion if a message purportedly comes from myschoolsupplies.co but doesn’t originate either from a mail server with the IP address “22.214.171.124” or one of the servers operated by UniOne.
An SPF record lists all the authorized IP addresses of mail servers allowed to send messages on behalf of your domain. If you’re running a personal email server, you’ll know the IP address and include it in the record. But if you’re using an external email service provider, like UniOne, you’ll need to include their servers too; the necessary parameter is usually found on the documentation page.
After getting the SPF record ready, it’s time to add it to your domain’s DNS configuration. Head to your domain registrar and open the dashboard for adding DNS records. We demonstrate adding these records on Namecheap, a popular domain registrar, on the screenshots below. Pick the TXT record and add “@” as the host and the SPF record as the value.
After you publish your SPF record, you can easily check it using an online lookup tool like MxToolbox or EasyDMARC.
Sender Policy Framework FAQs
What is an SPF record?
It is a TXT record added to the DNS database that specifies the IP addresses of mail servers authorized to send messages on behalf of your domain. This way, receiving servers can check if a message supposedly originating from your domain was actually sent from an authorized mail server.
What is an SPF lookup?
It is the process of checking the SPF records for any domain name. DNS records are public, meaning anyone can see them.
Why do I need an SPF record?
You need it to prevent hackers, spammers, and other malicious actors from impersonating your domain and deceiving your customers. The record helps recipients’ mail servers verify your identity and ensure that every message claiming to come from your domain originates from an authorized server.
We have explained how SPF works and how to authenticate your email identity using this protocol. An SPF record defines the IP addresses authorized to send emails from your domain, enabling the receiving server to confirm your identity.
You should combine SPF with the DKIM and DMARC protocols for more robust email security. But apart from that, ensure you choose a secure and reliable email service provider like UniOne. No matter how many authentication protocols you’ve set up, choosing an insecure and undependable email service provider will make it easy for malicious actors to hijack your identity. Fortunately, UniOne is a very secure and effective email provider you can choose for an affordable price to avoid being impersonated.