spfXio.com makes it easy for you to implement an effective SPF record using our management platform. While we may make it easy, we encourage anyone responsible for domain email security to develop a foundational knowledge of SPF, its purpose, how it is implemented, and how it is verified.
What is Sender Policy Framework or SPF?
SPF is a protocol defined by the Internet Engineering Task Force (IETF) that provides a facility for Administrative Management Domains to explicitly authorize hosts permitted to send email on their behalf and for a receiving host to verify if a sender is authorized. For a full technical understanding, it is best to read, re-read, and then read again the IETF document found at https://tools.ietf.org/html/rfc7208. Although seemingly straightforward, SPF is full of nuances that require a deep understanding to fully grasp its power and properly implement.
The following diagram provides a walk-through and logical evaluation of Sender Policy Framework in action.
SPF Evaluation during an SMTP Conversation
- orga.com sends an email to orgb.com through smtp.orga.com server with IP Address 10.100.225.100
- orb.com receives the email and performs a TXT record lookup for orga.com in an attempt to identify an SPF Record; the following record is returned:v=spf1 mx include:spf.orga.com ip4:10.100.225.100\32 ptr:smtp.orga.com -all
- Identified SPF records are evaluated to confirm if the sending IP Address is authorized to send on behalf of orga.com.
- If the sending system is authorized by the domain’s SPF record, SPF authentication results in a pass.
- If the sending system is not identified in the record and an all mechanism is identified, the SPF authentication result is returned based on the specified modifier. Modifiers include ? indicating neutral, ~ indicating soft fail, – indicating fail, or even + indicating pass.
- If the sending system is not identified in the domain’s SPF record, and an all mechanism is not specified, a none result is returned.
- If any of the following occur during the SPF evaluation, a permerror result is returned. This result is to be treated as though no SPF record was published.
- more than 10 DNS lookups are initiated either directly by the record or through external references in the record (e.g., include mechanisms)
- improper syntax or record format
- multiple SPF records are defined
SPF Results
SPF results are used by receiving servers to determine if a sending system is authorized to send on behalf of an IP Address. A SPF pass result is a clear determination that the sending system is authorized to send email on behalf of the domain, whereas a fail is an explicit statement that the sending system is not authorized. A softfail indicates that the sending system is likely not authorized to send on behalf of the domain, however a stronger fail policy has not been published. A neutral result indicates that the domain is not asserting if the sending system is authorized or not. A none response indicates that a SPF record for the domain could not be retrieved from DNS.