SPF (Sender Policy Framework) is an email authentication method that helps prevent email spoofing by specifying which mail servers are allowed to send email on behalf of a domain.
Purpose
SPF answers one simple question:
Is this server allowed to send email for this domain?
If the answer is no, the email can be marked as spam or rejected.
How SPF Works
- Domain owner publishes an SPF record in DNS.
- The SPF record lists authorized mail servers (IP addresses or services).
- When an email is received:
- The receiving server checks the sending server’s IP.
- It compares that IP against the domain’s SPF record.
- The result is pass, fail, softfail, neutral, etc.
Example SPF Record
v=spf1 ip4:192.0.2.10 include:_spf.google.com -all
This means:
ip4:192.0.2.10→ Allowed IPinclude:_spf.google.com→ Allow Gmail servers-all→ Reject mail from any other server
SPF Results
- Pass → Authorized sender
- Fail (
-all) → Unauthorized sender (often rejected) - SoftFail (
~all) → Suspicious but accepted - Neutral (
?all) → No clear policy
Limitations
- SPF only checks the sending IP, not the message content.
- It breaks with email forwarding, unless combined with DKIM.
- SPF alone doesn’t enforce policy—that’s where DMARC comes in.
SPF vs DKIM (Quick Comparison)
| Feature | SPF | DKIM |
|---|---|---|
| Checks | Sending IP | Message signature |
| Uses DNS | Yes | Yes |
| Survives forwarding | ❌ No | ✅ Yes |
| Prevents spoofing | ✅ Yes | ✅ Yes |
✅ In short: SPF helps email servers verify that a message came from an authorized mail server for a domain.