Sender Policy Framework (SPF) is one of several open standards that enable email authentication. SPF allows domain name owners to create a whitelist of IP addresses or designated senders that can send email on their behalf. Attempts by others will fail the SPF test.
How It Works
- Domain name owners publish SPF TXT records, listing authorized IP addresses, senders, and/or specific rulesets for email receivers to evaluate, to the Domain Name System (DNS).
- An email receiver/MTA validating an email message searches DNS for published SPF records matching the domain in the ‘Return Path’ of the message.
- If one exists, the receiver evaluates the published SPF record to determine whether the sender of the message has been authorized by the owner of the domain.
- If there’s a match, the SPF test passes and the email is delivered to the specified inbox; otherwise, it’s flagged as suspicious.
Seemingly straightforward, SPF is difficult to implement and has significant limitations.
Return-Path vs. From Addresses — SPF tests use the domain name in an email’s ‘Return-Path’ field and not the visible ‘From’ address. This allows bad actors to spoof messages by presenting a valid-looking ‘From’ address while using their own hidden, malicious “Return-Path” address.
The 10-Lookup Limit — As an alternative to listing IP addresses, the SPF standard allows an SPF record to include a domain name address where email receivers can find additional rules or lists of IPs. However, SPF only allows the receiver a total of ten DNS lookups for each SPF record evaluated..
Erroneous Text Records — While appearing simple, accurate SPF records are difficult to create. Errors are easy to produce, hard to spot, and may invalidate the record. Corporate domain name owners often add blocked IP lists, address ranges, and multiple third-party redirects, all of which complicate matters and can lead to further errors.
Forwarding Service Limitations — SPF does not support email forwarding services, such as those for college alumni, that redirect to another address. In this case, the most recent sender of the message (the forwarding service) won’t be one of the senders authorized by the domain owner, and the message will fail.