Sender Policy Framework (SPF) is one of the oldest and most widely used standards for validating email senders’ identities. It is a cornerstone of modern email authentication.
However, SPF alone isn’t actually very helpful for protecting your domain from fraud.
The biggest problem is that SPF bases its authentication decisions on a message header field that most humans never see: the Return-Path.
What is SPF?
SPF originated in the early 2000s, when the primary consideration was preventing spammers from overloading email servers with junk. As a result, it’s oriented towards blocking unauthorized email servers.
In essence, SPF allows domain owners to create a rule system specifying a whitelist of senders. It’s an IP address-based system, and the creators expected domain owners to allow IP addresses that they manage through explicit lists and implicit rules that map to IP addresses.
SPF record limitations
SPF authentication works by looking at the message header field, but most humans never see it.
That makes it way too easy for hackers to create legitimate messages (because they use SPF to validate the domain shown in the hidden Return-Path field) but are fraudulent (because they are using someone else’s domain in the From field).
In today’s world, many companies use email senders they don’t directly manage (cloud services that send on their behalf, for instance). Fortunately, SPF also allows you to include rulesets defined by third-party services, but the standard limits the number of such rulesets that can be imported to 10.
By creating an allowlist, SPF allows receiving servers to authenticate only messages from senders on that allowlist.
SPF doesn’t take action on non-authorized messages
However, SPF doesn’t actually tell those receiving servers what they should do with non-authorized messages. Worse, it provides no feedback to domain owners and does not check the From field that humans actually see.
It’s only with the addition of the more recent standard, Domain-based Message Authentication, Reporting & Conformance (DMARC), that SPF becomes useful as an authentication standard. That’s because DMARC adds a few essential elements:
- DMARC requires the visible From address to match the hidden Return-Path address.
- With DMARC, domain owners can set a policy that tells receiving servers how to handle non-authenticating emails: do nothing, quarantine them (in a spam folder), or reject them (drop them on the floor).
- DMARC includes provisions for receiving email servers to send reports back to domain owners, detailing successful and unsuccessful authentications (usually every 24 hours).
None of this is meant to cast aspersions on the creators of SPF or the standard itself. SPF was an important part of the wide-ranging defense system email experts built to curb the onslaught of spam in the early 2000s. It provides a crucial component needed to authenticate inbound emails: a ruleset for identifying legitimate senders.
However, it’s only with the addition of DMARC that SPF functions properly as an anti-fraud tool.
SPF has a 10-limit record lookup limit
Another limitation that makes SPF challenging to use is the 10-limit DNS lookup. A receiving mail server will have to make a DNS lookup to figure out whether or not that SPF can pass authentication. This limit protects receiving email servers from denial of service attacks, but it can make it hard to rely on only SPF.
Unfortunately, these lookup limits add up fast, but it’s not always obvious when you’ve reached that limit. While there are shortcuts to work around this, they are very manual and can easily break, which is why they’re not recommended.
Valimail’s patented Instant SPF technology simplifies the process of authorizing these services and gives you an easy and trusted way around the SPF 10-lookup limit.
Start using DMARC (and make SPF work) with Valimail
While SPF alone doesn’t protect your brand, it’s an important part of your DMARC policy. When a message fails SPF or DomainKeys Identified Mail (DKIM), your DMARC policies tell the email servers how to handle it (leave it alone, send it to the spam folder, or reject it entirely). DMARC is the action-oriented authentication protocol, but it relies on SPF to identify unauthenticated emails.
Ready to get started with DMARC? You’re in the right place.
Valimail provides the expertise and tools you need to automate your DMARC and protect your domains from phishing attacks with plug-and-play integration—no code necessary. See for yourself. Schedule a demo with one of our experts to see how Valimail can protect your brand.
