Sender Policy Framework (SPF)
Sender Policy Framework (SPF) is an email authentication method that ensures the sending mail server is authorized to send emails from the sender’s domain.
- helps detect and prevent sender address forgery commonly used in phishing and spam emails
- used to combat spam
- uses a TXT resource record published via DNS by an organization hosting email service
- common for emails to be sent from different domains
- e.g.,
- when a third party hosts an organization’s email
- when an organization uses a marketing service to send and collect customer survey information
- e.g.,
- SPF record identifies the hosts authorized to send email from a domain
- hosts can be identified by IP address, CIDR address blocks, or hostnames of mail server
- must use only one SPF record per domain
- can also indicate what to do with mail from servers not on the list
- reject (
-all) - flag (
~all) - accept (
+all)
- reject (
- works by:
- verifying the sender’s IP address against a list of authorized sending IP addresses
- When an email is received,
- the receiving mail server checks the SPF record of the sender’s domain to verify the email originated from one of the pre-authorized systems
- Inspecting email headers is required to determine whether the SPF record passed inspection by the email server
- an SPF “NOT PASS” indicates the sender is not included in the SPF record
- often times organizations don’t have all email servers included in their SPF records
- so when SPF checking is strictly enforced, messages may not be received/sent
- so SPF records provides a clue, but sender IP info still needs to be analyzed
- Analyzing SPF:
v=spf1 include:spf.protection.outlook.com -allv=spf1is the versioninclude:specifies the authorized hosts(-|~|+)allspecifies the policy to apply