Sender Policy Framework (SPF) is the first of several Internet standards that enable email authentication. SPF allows domain name owners to create a whitelist of IP addresses that can send email on their behalf. Attempts by others will fail the SPF test.
SPF originated in 2003 and is now widely adopted by all major email receivers, including Google, Microsoft, and Yahoo!/AOL.
How It Works
- Domain name owners publish simple SPF text records, listing authorized IP addresses, to the Domain Name System (DNS).
- An email receiver validating an email message searches DNS for published SPF records matching the domain in the ‘Return Path’ of the message
- If one exists, the receiver checks for a match between the message sender’s IP address and those published in the SPF record.
- If there’s a match, the SPF test passes and the email is delivered to the specified inbox; otherwise it’s flagged as suspicious.
Seemingly straight forward, SPF is difficult to implement and contains significant limitations.
Return-Path vs. From Addresses — SPF tests use the domain name in an email’s ‘Return-Path’ field, usually hidden to readers, and not the visible ‘From’ address. This allows bad actors to spoof messages by presenting a valid looking ‘From’ address while using their own hidden, malicious “Return-Path” address. Furthermore, marketing providers typically use their domain name in the ‘Return-Path’ field of outbound emails and the customer’s ‘From’ field address. In both cases, the SPF test fails.
The 10-Domain Lookup Limit — As an alternative to listing IP addresses, the SPF standard allows an SPF record to include a domain name address where email receivers can find additional rules or lists of IPs. However, SPF only allows the receiver ten additional DNS lookups for each SPF record evaluated.
Erroneous Text Records — While appearing simple, accurate SPF records are difficult to create. Errors are easy to produce, hard to spot, and may invalidate the record. Corporate domain name owners often add blocked IP lists, address ranges, and multiple third party redirects, all of which complicate matters and can lead to further errors.
Forwarding Service Limitations — SPF does not support email forwarding services, such as those for college alumni, that redirect to another address. In this case, the redirected email domain name won’t match the original domain from the sender and the message will fail. Mailing lists and email discussion lists can cause the same problem.
Fortunately, the DKIM and DMARC internet standards, as well as third party solutions, such as the Valimail Email Authentication Cloud Service, address these shortcomings.