SPF is an open standard for email authentication. It is used to authenticate the SMTP MAIL FROM domain, allowing the sending IP of the email message.
There, that’s it…
No, just kidding. Of course, we love to elaborate on questions such as ‘What is SPF?’ and ‘How does SPF work?’ We continue with more frequently asked questions about SPF.
SPF stands for Sender Policy Framework. When used correctly, Internet Service Providers (or ISPs) are able to verify that a mail server is authorised to send emails on behalf of a domain.
To better define SPF, take a mailman, for example. He comes to your door with a package. Nobody tells you whether this particular mailman is a potential threat or security risk.
Wouldn’t it be fantastic if you had a list of all the mailmen allowed to deliver on behalf of a company? Then, all you have to do is check his ID, and you instantly know who you are dealing with.
Well, surprise: SPF does precisely that!
As the name suggests, Simple Mail Transfer Protocol (SMTP) was designed in simpler times. It didn’t account for the malicious actors who would later exploit its vulnerabilities. Spoofing became a major problem in email. A solution was urgently needed, and so SPF was developed.
This was a crucial first step in securing email domains. The development of DKIM and DMARC would soon follow. Combining these three provides optimal protection. Although it is an old protocol, SPF is still very relevant and important to use because of the following reasons:
With SPF, you provide your own custom list of all the sending hosts and IP addresses authorised to send emails on behalf of the particular domain. Then, you store it in the DNS of that domain. Because only you (should) have access to the domain’s DNS, it’s perfectly safe!
When a receiving mail server receives an email, it checks the SPF record of the sending MAIL FROM domain to verify if the sending IP has permission. The email is considered legitimate if the IP address matches one of the IP addresses listed in the SPF record. If not, the email may be flagged as spam or even rejected.
Continue reading more of our SPF-related articles!
The main purpose of SPF is to authorise a finite list of sending IP addresses of mail servers. In turn, this helps against cyber criminals sending from unauthorised IP addresses. It has a few huge benefits when correctly used in combination with DMARC. To summarise, SPF:
SPF does not prevent spoofing of the domain that is visible when you open an email (the FROM: domain). Instead, SPF works against the SMTP MAIL FROM domain, which is only visible in the email headers. And let’s be completely honest here: which average email user even knows where to find email headers and how to analyse them?
Spoofing occurs on the FROM: domain, which is the domain you see when you open an email. It builds trust and makes people believe the email was sent by the organisation in question. DMARC works on this FROM: domain and requires a connection (Alignment) with the SMTP MAIL FROM domain.
And then there is yet another problem with SPF. That is when your SPF record causes too many DNS lookups. We see that happen most of the time. In this case, the receiver must do more than 10 DNS lookups to resolve the SPF record. The RFC sets this very specific limit of 10. Going over it can result in an SPF error, which could mean some of your messages will not be delivered.
Fortunately, there is a solution in the shape of SPF Flattening.
Our SPF Check helps you to identify possible errors in your record because it’s easy to overlook details when you’re focused on completing the record, which can impact the delivery of your emails.
Perform an SPF lookup with the SPF Record Check now to inspect the validity of your DNS record and prevent email deliverability issues.
We would like to clarify that, although we cater for a broad audience, our services are limited to Europe and Africa. 2026 - DMARC Advisor B.V.
