SPF (Sender Policy Framework) is a security feature used to authenticate the sender of an email. It allows providers to verify if mail server is authorized to send an email on behalf of your domain. If not, the message may be rejected, marked as SPAM, or suspicious.
Every email message contains two addresses – the header indicated in the “from” [From:] and “Return-Path” (so-called MAIL FROM, envelope sender, or reverse path).
SPF refers to the domain used in the Return-Path, not the “From” address. You should first find out what return path is currently used in the emails you send.
Return-Path as its name implies – is a return address – it tells the receiving servers where to bounce the message back in case of delivery problems. It is included in the email’s hidden header, which also contains other technical details.
To use SPF, you must publish a record you have created into the DNS of the sending domain. It contains a list of all IP addresses that are authorized to send Emails on its behalf.
When transferring a message, the incoming mail server checks the Return-Path in its header – a validation of the SPF record takes place, which consists of checking if the Email comes from one of the servers authorized by the domain’s DNS TXT record.
If yes – a connection between servers takes place and the message is handed-off. If not – the server continues to process the Email, but it does not pass authentication. In this situation (depending on the “all ” mechanism and its qualifier) it may be delivered and classified into the SPAM folder, marked as suspicious or rejected.
SPF is a TXT-type record that specifies which senders (IP addresses) are authorized to send Emails using your domain. It is published in its DNS. Detailed information on how an SPF record is formatted and how to create one can be found here.
Do you already have SPF set up? To configure it correctly and authorize EmailLabs to send Emails on behalf of your domain, add the following information into your TXT record:
include:_spf.emaillabs.co
Remember, an updated SPF record may require up to 48 hours to take effect.
SPF has become extremely important due to the advances brought by the growth of digital services and the increased attempts at online abuse and impersonation that this brings. It is therefore an important element for both increasing Email deliverability and security.
As many companies use a variety of tools and services to send Emails, receiving servers need some way of verifying that these are indeed authorized senders. While SPF is not a perfect security measure, and only implementing DMARC is what helps combat domain impersonation and spoofing, it, along with DKIM, is a necessary step towards its configuration.
The SMTP protocol, which is the standard for sending Emails, does not have any security features for the “From” address. Typically, only the correctness of the sender address in terms of its structure is validated. This means that impersonating another person or company seems extremely easy. This is what led to the development of SPF as one of the first Email security features. However, it does not validate the From domain, but the Return-Path, meaning that an Email can pass SPF validation regardless of whether the From address has been forged or not.
It is worth remembering that the received Email may be authentic, but due to the outdated list of allowed senders in the SPF record, it will still be marked as suspicious. Such a genuine Email could also be forwarded, i.e. it originally came from a system authorized in SPF, but was forwarded via another one – which is no longer included in the list of allowed senders.
It is therefore important to additionally secure the Email – this may be done by DKIM, which protects the sending address by signing the message with an appropriate digital key, and DMARC, which compares whether the domain indicated by one of the above protocols (Return-Path used by SPF and/or the “d=” domain used by DKIM) matches the one in the “From” address and if so – the Email passes validation.
You will be able to send messages even if you do not publish an SPF record into your DNS, but setting it up correctly is an extra trust signal to providers and an increased chance that your Emails will reach the recipient’s inbox. Proper authentication is more than just verifying that whether an Email is from whom it was sent – it is a sign that you’re actively involved in creating a good Email ecosystem and keeping your recipients safe.
Spammers are less likely to spoof Emails that are sent from a domain with security implemented, as they are more likely to be caught by spam filters. Such an SPF-protected domain is far less attractive to them.
To prevent outbound Email spoofing scams, add not only SPF but also DKIM and DMARC to your domain’s DNS. This will not solve deliverability issues, but it is an extra layer that, when combined with the above standards, can improve its metrics and prevent potential fraud in the first place. If you own a large business, also consider securing your corporate identity and trademark with BIMI.
Email Deliverability Team Coordinator
Natalia abandoned her career as an experimental biologist for the digital universe and new technologies. She likes to know something about everything and everything about something. Breathlessly follows and describes news from the email world. Supports EmailLabs users in integrating, analyzing, and reporting deliverability. Helps to increase domain security with implemented DNS records and BIMI standard, moreover educates on good mailing practices.
See more articles
We are proud to announce that Vercom S.A., the company behind the EmailLabs project, successfully passed an audit for compliance with the latest ISO/IEC 27001:2022 and ISO/IEC 27018:2019 standards....
Gmail has announced significant changes in the requirements for email senders to maintain a good reputation and proper classification of messages in user inboxes starting from February 1, 2024....
The increasing number of phishing attacks each year, and the projection that this trend will continue to escalate, aren’t likely to astonish anyone. This can be attributed, in part,...
Out of all the things that can go wrong when sending out marketing emails, having your emails end up in the recipient’s spam folder is arguably the most dreaded...
Email Authentication, Security
DMARC is an email authentication protocol that is designed to give domain owners the ability to protect their domain from unauthorized use, commonly known as email spoofing. Spoofing occurs...
With the emergence of the Covid-19 pandemic, many brands have been challenged to adapt in a short period to the changed reality and new consumer attitudes. That meant reorganizing...
Gmail users may soon benefit from a game-changing feature called Shielded Email, designed to enhance privacy and combat spam. While the feature has not yet been officially launched, recent...
Are you frustrated with the constant struggle of your emails getting blocked by Gmail? Have you ever wondered about the reasons behind this issue and, more importantly, how to...
In the ever-evolving landscape of email management, Google has announced an exciting upgrade to Gmail’s summary cards, aimed at improving user experience and streamlining inbox navigation. The latest enhancements,...
Gmail users may soon benefit from a game-changing feature called Shielded Email, designed to enhance privacy and combat spam. While the feature has not yet been officially launched, recent...
Are you frustrated with the constant struggle of your emails getting blocked by Gmail? Have you ever wondered about the reasons behind this issue and, more importantly, how to...
In the ever-evolving landscape of email management, Google has announced an exciting upgrade to Gmail’s summary cards, aimed at improving user experience and streamlining inbox navigation. The latest enhancements,...
Entering the world of email communication, you’ll encounter many terms that initially seem straightforward and intuitive. However, some of these can be pretty challenging. Accurately distinguishing between them is...
Attaching a folder to an email may seem complicated at first glance, especially if you’re trying to send multiple files or an entire project’s documents to a colleague or...
Best practices, Deliverability
In today’s digital age, email has become an integral part of our personal and professional communication. We rely heavily on emails to send important messages, documents, and updates. But...
We are proud to announce that Vercom S.A., the company behind the EmailLabs project, successfully passed an audit for compliance with the latest ISO/IEC 27001:2022 and ISO/IEC 27018:2019 standards....
Best practices, Deliverability
Are you struggling to improve the deliverability and engagement of your email marketing campaigns? Look no further than email subdomains. You can protect your root domain and effectively manage...
What is the darknet? Shrouded in mystery for many years and often associated with ominous connotations, the darknet is a part of the internet that evokes curiosity, fascination, and...
