In plain English
SPF is a list published in your DNS records that says: "Only these mail servers are allowed to send email from our domain." When a receiving server gets an email claiming to be from your domain, it checks the SPF record. If the sending server isn't on the list, the email can be flagged as suspicious or rejected.
Full definition
SPF works at the DNS level. Your domain's DNS record contains a list of IP addresses and mail servers authorised to send email on your behalf. When a recipient's mail server receives a message claiming to be from your domain, it checks that sending server against your SPF record. If the server is not on the list, the message can be quarantined or rejected outright.
Without SPF, anyone can send email that appears to come from your domain. This is the basic mechanism behind : an attacker sends a convincing invoice from what looks like your CFO's address, and your supplier pays it. Australian businesses lost over $84 million to business email compromise in the 2022-23 financial year, per the ACCC's Scamwatch data. SPF alone does not stop all of this, but it is the minimum starting point.
SPF alone is not enough
SPF works best alongside and . SPF confirms the sending server is authorised. DKIM signs the message content. DMARC tells receiving servers what to do when either check fails and sends you reports when someone tries to spoof your domain. All three form the standard stack that Microsoft and Google now expect on any domain sending commercial email.
