SPF stands for Sender Policy Framework. It’s an email authentication method that helps identify the mail servers that are permitted to send email from a particular domain. Using this validation protocol, ISPs can determine when spoofers and phishers are trying to forge emails from your domain to send a malicious email to your customers.
Unfortunately, this is a huge problem plaguing consumer inboxes with repeated and unending attempts to illegally obtain personally identifiable information. Transactional email is particularly susceptible to attacks since spammers rely on existing relationships to drive your user to take action such as confirming an account, resetting a password, or logging in to correct a problem. Since SMTP alone won’t help, you must authenticate your mail using all the tools available to you to prevent these email attacks. This includes SPF.
So how does SPF work, and why should I care?
SPF is an open standard that protects genuine email senders and discourages spammers by allowing you to specify the email servers that can send an email for your domain name(s). You must register an SPF record in the DNS that contains your IP addresses for each mail server authorised to send your email messages. ISPs then use the DNS settings to verify the source of the email and make spam filtering decisions. If the DNS record passes, then your email can be delivered. This isn’t to say that it absolutely will be delivered as there are many factors that can contribute to email delivery failure. In this case, if the email isn’t delivered, it won’t be because of SPF failure.
Not everyone uses SPF authentication, but receivers that reject based on SPF failure (such as Gmail, Microsoft, and most major ISP’s) will reject the delivery and prevent spammers from sending emails pretending to be from you or your organisation. Some receivers may also quarantine mail that fails SPF without blocking it.
Since this can be confusing stuff, we recommend checking out this article by Mailbird that provides a quick explanation on how SPF works.
Each SPF record will be a bit different, but you should check to make sure you’ve got it right. Here are three tools that can help validate your records.
- MX Toolbox’s SPF Testing Tool: Check to see if an SPF record already exists for your domain, check its validity or test its performance.
To sum up
Simply put, malicious email hurts your business and degrades the email channel. While SPF won’t prevent spam, it can serve as a deterrt and make you less vulnerable to attacks. Combined with Sender ID and DKIM, SPF provides an extra level of protection that will better support your users by helping ISPs properly identify your email and in turn, the spammers.
By using SPF you can not only help protect your customers but also get your emails accepted for delivery to email services such as Gmail and those provided by Microsoft who are increasingly looking at ways to prevent spam and phishing emails from reaching their customers’ mailboxes.