SPF (Sender Policy Framework)
What is SPF (Sender Policy Framework)?
SPF (Sender Policy Framework)An email authentication mechanism defined in RFC 7208 that lets a domain publish in DNS which IP addresses or hosts are authorized to send mail using its domain in the envelope MAIL FROM.
Sender Policy Framework (SPF), specified in RFC 7208, lets a domain owner publish a TXT record (for example v=spf1 ip4:192.0.2.0/24 include:_spf.example.net -all) that lists permitted senders. Receiving MTAs evaluate the SMTP MAIL FROM (return-path) domain against this policy and produce a result such as pass, fail, softfail, neutral, or temperror. SPF only authenticates the envelope sender, not the From: header users see, so it does not stop display-name spoofing on its own. It is one of the three building blocks of DMARC, alongside DKIM. Operators must avoid exceeding the ten-DNS-lookup limit, use proper qualifiers, and prefer -all (hard fail) over ~all for enforcement.
● Examples
- 01
Publishing v=spf1 include:_spf.google.com -all to authorize Google Workspace outbound IPs and reject everything else.
- 02
Using a third-party SPF flattening service to stay within the ten DNS lookup limit.
● Frequently asked questions
What is SPF (Sender Policy Framework)?
An email authentication mechanism defined in RFC 7208 that lets a domain publish in DNS which IP addresses or hosts are authorized to send mail using its domain in the envelope MAIL FROM. It belongs to the Network Security category of cybersecurity.
What does SPF (Sender Policy Framework) mean?
An email authentication mechanism defined in RFC 7208 that lets a domain publish in DNS which IP addresses or hosts are authorized to send mail using its domain in the envelope MAIL FROM.
How does SPF (Sender Policy Framework) work?
Sender Policy Framework (SPF), specified in RFC 7208, lets a domain owner publish a TXT record (for example v=spf1 ip4:192.0.2.0/24 include:_spf.example.net -all) that lists permitted senders. Receiving MTAs evaluate the SMTP MAIL FROM (return-path) domain against this policy and produce a result such as pass, fail, softfail, neutral, or temperror. SPF only authenticates the envelope sender, not the From: header users see, so it does not stop display-name spoofing on its own. It is one of the three building blocks of DMARC, alongside DKIM. Operators must avoid exceeding the ten-DNS-lookup limit, use proper qualifiers, and prefer -all (hard fail) over ~all for enforcement.
How do you defend against SPF (Sender Policy Framework)?
Defences for SPF (Sender Policy Framework) typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for SPF (Sender Policy Framework)?
Common alternative names include: Sender Policy Framework.
● Related terms
- network-security№ 333
DMARC
An email authentication standard defined in RFC 7489 that lets domain owners publish a policy telling receivers what to do with messages that fail SPF or DKIM and aligned domain checks.
- network-security№ 330
DKIM
An email authentication standard defined in RFC 6376 that lets a sending domain add a cryptographic signature to outgoing messages so receivers can verify that headers and body were not altered.
- attacks№ 375
Email Spoofing
Forging email headers so a message appears to come from a trusted sender, typically to enable phishing, fraud, or malware delivery.
- attacks№ 135
Business Email Compromise
A targeted fraud in which an attacker impersonates or takes over a corporate mailbox to trick an employee into wiring money, changing payment details, or sending sensitive data.
- network-security№ 984
Secure Email Gateway
A perimeter or cloud service that filters inbound and outbound email for spam, phishing, malware, data leakage, and policy violations before it reaches user mailboxes.
- network-security№ 095
BIMI
An email standard that lets domain owners display a verified brand logo next to authenticated messages in supporting clients, conditional on a DMARC policy of quarantine or reject.