Sender Policy Framework (SPF) is an authentication protocol that lists IP addresses in a DNS TXT record that are authorized to send email on behalf of domains.

A typical SPF record looks like this:

“v=spf1 a include:spf.hostpack.lu. ~all”

The corresponding DNS TXT entry may look like the following (applied to domain-name.lu):

domain-name.lu. 600 IN TXT “v=spf1 a include:spf.hostpack.lu. ~all”

If you would send an email message using domain-name.lu, the receiving system would check to see if there is an SPF record published:

  • If there is a valid SPF record AND your sending IP address is on the list, your message will PASS the SPF check.
  • If your sending IP address is NOT on the list, your message will FAIL the SPF check and could either be rejected, quarantined or classified as SPAM – depending on the receiving system’s email policy.

Unfortunately, SPF authentication has some limitations in terms of validating the message source.

SPF also breaks when a message is forwarded and does not protect against bad actors who can spoof the display name or Friendly-From address.

These limitations are some of the reasons why DKIM was created.