Sender Policy Framework (SPF) is an authentication protocol that lists IP addresses in a DNS TXT record that are authorized to send email on behalf of domains.
A typical SPF record looks like this:
“v=spf1 a include:spf.hostpack.lu. ~all”
The corresponding DNS TXT entry may look like the following (applied to domain-name.lu):
domain-name.lu. 600 IN TXT “v=spf1 a include:spf.hostpack.lu. ~all”
If you would send an email message using domain-name.lu, the receiving system would check to see if there is an SPF record published:
- If there is a valid SPF record AND your sending IP address is on the list, your message will PASS the SPF check.
- If your sending IP address is NOT on the list, your message will FAIL the SPF check and could either be rejected, quarantined or classified as SPAM – depending on the receiving system’s email policy.
Unfortunately, SPF authentication has some limitations in terms of validating the message source.
SPF also breaks when a message is forwarded and does not protect against bad actors who can spoof the display name or Friendly-From address.
These limitations are some of the reasons why DKIM was created.