SPF (Sender Policy Framework) is a DNS-based email authentication mechanism designed to detect and prevent sender address forgery, commonly known as spoofing. It allows domain owners to define which mail servers are authorized to send emails on behalf of their domain.
How it works
The domain administrator publishes a TXT record in the DNS settings. When an email is received, the destination mail server looks up the SPF record for the domain found in the Return-Path address. It then verifies if the sender's IP address is listed in the record. If the IP is not authorized, the email's authenticity is questioned, leading to rejection or a spam folder delivery.
- v=spf1: defines the version of SPF being used;
- ip4, ip6, include: mechanisms to list authorized senders;
- -all or ~all: qualifiers that tell the receiver how to handle unauthorized mail.
SPF is a foundational security layer alongside DKIM and DMARC. A common real-world configuration looks like this: v=spf1 include:spf.protection.outlook.com -all. A technical constraint to note is the 10-lookup limit; if a record requires more than 10 DNS queries to resolve all "include" mechanisms, the SPF check will result in a PermError, potentially blocking legitimate mail.