IronSights

Network & infrastructure

SPF

An email authentication protocol that specifies which mail servers are authorised to send email on behalf of a domain, allowing receiving servers to reject email from unauthorised sources.

Also known asSPFSender Policy Framework

In plain English

SPF is a list published in your DNS records that says: "Only these mail servers are allowed to send email from our domain." When a receiving server gets an email claiming to be from your domain, it checks the SPF record. If the sending server isn't on the list, the email can be flagged as suspicious or rejected.

Full definition

SPF works at the DNS level. Your domain's DNS record contains a list of IP addresses and mail servers authorised to send email on your behalf. When a recipient's mail server receives a message claiming to be from your domain, it checks that sending server against your SPF record. If the server is not on the list, the message can be quarantined or rejected outright.

Without SPF, anyone can send email that appears to come from your domain. This is the basic mechanism behind : an attacker sends a convincing invoice from what looks like your CFO's address, and your supplier pays it. Australian businesses lost over $84 million to business email compromise in the 2022-23 financial year, per the ACCC's Scamwatch data. SPF alone does not stop all of this, but it is the minimum starting point.

SPF alone is not enough

SPF works best alongside and . SPF confirms the sending server is authorised. DKIM signs the message content. DMARC tells receiving servers what to do when either check fails and sends you reports when someone tries to spoof your domain. All three form the standard stack that Microsoft and Google now expect on any domain sending commercial email.

Keep learning

More terms in the IronSights Glossary.