Skip to main content

Understanding How Sender Policy Framework (SPF) provides Email Authentication

· 6 min read
Hannes Palmquist
Senior Consultant Cloud

Overview

The Sender Policy Framework (SPF) is an email authentication method designed to detect and block email spoofing by verifying the IP address of the sender. SPF works by using DNS records to define which IP addresses are allowed to send emails on behalf of a domain. When an email is received, the recipient's mail server checks the SPF record to confirm that the message comes from an authorized server, helping prevent spammers from forging the domain of the sender.

Workflow

  1. The receiving system looks at the Return-Path/Envelope From (also known as "MAIL FROM") address in the SMTP header.
  2. It then queries DNS to fetch the SPF record associated with the domain in this "Return-Path."
  3. The server checks if the sending IP address matches the authorized IP addresses defined in the SPF record.
  4. SPF allows the domain to define its authorized mail servers using mechanisms such as A, MX, Include, IPv4, and IPv6 records. These records can be recursively resolved for additional IP addresses.
  5. Based on the results of the SPF validation, the recipient server determines the authenticity of the email and applies a decision: pass, neutral, softfail, or fail.

Pros

  • Domain Protection: SPF ensures that only authorized IP addresses can send email on behalf of a domain, reducing the risk of unauthorized domain usage.
  • Visibility: It provides transparency to email receivers, showing whether the sending mail server is legitimate and recognized by the domain owner.

Cons

  • Maintenance: Keeping SPF records up to date is a challenge, especially when domains use multiple email service providers (ESPs) or when email-sending infrastructure changes over time. A lack of central visibility across departments and providers makes it difficult to maintain a correct and complete SPF record.
  • Limited Rejection Capability: A failed SPF check doesn't always result in message rejection. Email providers weigh SPF results alongside other factors like DKIM (DomainKeys Identified Mail) and DMARC (Domain-based Message Authentication, Reporting & Conformance) before deciding to accept or block an email.
  • Forwarding Issues: SPF checks can break when an email is forwarded. Since the forwarding server typically doesn't match the original sender's SPF, the forwarded email can fail SPF validation unless the domain implements other safeguards like DMARC with DKIM.
  • Display Name Spoofing: SPF only authenticates the MAIL FROM domain (Return-Path), which is often not visible to the recipient. Cybercriminals can still spoof the "From" header, a visible field for the user, and SPF won't protect against this type of impersonation.

Details

DNS Record Format

An SPF record is a DNS TXT record that defines which IP addresses or hosts are allowed to send email for a domain.

DNS Record Name:

  • @.[domain].[topdomain]
  • *.[domain].[topdomain]
  • [domain].[topdomain]

Example SPF Record:

v=spf1 ip4:203.0.113.2 a.example.com include.protection.outlook.com ~all

Here's a breakdown:

  • v=spf1: Declares the version of SPF.
  • ip4:203.0.113.2: Authorizes an IPv4 address to send mail.
  • a:mail.example.com: Authorizes the IP address of mail.example.com.
  • include:spf.protection.outlook.com: Allows email sent through Outlook's infrastructure.
  • ~all: Softfail; all other servers not specified in the record are likely unauthorized but not strictly blocked.

Mandatory Tags

TagDescription
vSPF version identifier, typically v=spf1.
-all or ~allThe -all indicates a hard fail (strict rejection), while ~all is a soft fail (mail is accepted but flagged).

Optional Tags

TagDescription
allA catch-all mechanism to define the default behavior if no other rule is matched.
ip4Specifies the authorized IPv4 address.
ip6Specifies the authorized IPv6 address.
aAuthorizes the IP address corresponding to an A (IPv4) record of a domain.
mxAuthorizes IP addresses listed in the domain's MX (Mail Exchange) records.
includeIncorporates another domain's SPF records into the current record. Used when a domain delegates email sending to a third-party service provider (e.g., Google or Microsoft).
ptrChecks if the sending IP's reverse DNS matches the domain name. (Rarely used due to performance issues and poor reliability. It's considered deprecated.)
existsEvaluates a complex DNS lookup to verify the sender's IP address. This is rarely used in SPF.

Qualifiers

QualifierDescription
+ (Pass)Explicit pass result, though this can be omitted since it's the default behavior. For example, +mx is the same as mx.
? (Neutral)Indicates that the result is neutral, treated as if there is no policy.
~ (Softfail)Marks the email as suspicious but does not reject it outright. Often used for debugging purposes. Messages that fail with a softfail are generally delivered but marked as suspect.
- (Fail)Hard fail, meaning the email should be rejected by the receiving server.

Additional Considerations

  1. SPF Record Length: DNS TXT records are limited to 255 characters, and the entire SPF record cannot exceed 512 characters in a single DNS query. This can lead to problems if too many mechanisms (like include or a) are used in the record. If the record becomes too long, it needs to be split across multiple records, or optimized by consolidating mechanisms.
  2. DNS Lookups: SPF records should not exceed 10 DNS lookups. Each time the SPF record references a domain with a, mx, or include mechanisms, it requires an additional DNS lookup. Exceeding this limit can result in SPF records that fail to authenticate, which could lead to undelivered or flagged emails.
  3. SPF, DKIM, and DMARC Interplay: While SPF verifies that an email was sent from an authorized server, it does not authenticate the content of the email or the integrity of the headers. DKIM helps address this by attaching a digital signature to the email, ensuring that the content has not been altered. Together, SPF and DKIM can be combined under DMARC policies to provide stronger email authentication, allowing domain owners to control how failed SPF and DKIM checks are handled.

Conclusion

SPF plays a critical role in the fight against email spoofing, but it is not a standalone solution. When used in conjunction with DKIM and DMARC, it becomes a powerful tool to prevent fraudulent emails from reaching users. However, maintaining accurate and up-to-date SPF records is crucial, especially for businesses that leverage multiple service providers or frequently change their infrastructure. Ensuring compliance with DNS lookup limits and SPF's compatibility with email forwarding is key to its effective use.