SPF stands for Sender Policy Framework and is an anti spam/anti spoofing tool which domain owners can use to tell receiving systems about their valid outgoing email server’s IP addresses. It is used to identify whether or not an email which purports to be from a specific domain is originating from the email servers the domain owner says are legitimate.
Let’s back up for a minute though and figure out why this is important in terms of email security. Part of the email message is what’s called the “envelope”. Just like a piece of regular mail I can write whatever return address I would like on the envelope as well as in the letter itself. The receiver has no way of knowing if that return address is valid. The one additional piece of information we do know with email though, is what IP address connected to our email server and delivered the message. While we still don’t know if the return address is valid, using SPF we can ask the domain owner if that IP should be sending mail for the domain.
SPF data is created as a DNS record and administered through the DNS system. In most DNS software the SPF record must be entered as a TXT record, however newer versions are now including capability to add SPF as an additional record type along the lines of an A, MX, or CNAME. Since it is only the true domain owner that controls a domain’s DNS it can be reasonably assumed that domain related DNS data is authentic.
The domain owner has a number of options in creating an SPF record that range from no record at all or “I’m not going to tell you anything about my sending IPs” across the spectrum to an absolute record which tells the receiving server “These are my outgoing email servers ONLY.”
It’s important to remember here that like many other anti-spam measures, SPF records are informational only. It is ultimately the receiving entity’s decision as to what action to take in their spam filter with this information. It’s also important to note that SPF cannot be used to determine the authenticity of the sender. It is limited to verifying if a sending ‘from’ address is coming from an IP authorized by the domain owner to send email.
Stay tuned for Wednesday when we’ll talk more about the technical implementation of SPF and how to create the most common SPF record.
