Email, on its own, is not the safest means of communication. It was one of the first forms of online communication and, thanks to various improvements since the 1970s, it has managed to stick around as an effective way to share information. As the online world developed, people began to find ways to manipulate emails or use them as a way to impersonate another person or company. Today, email spoofing is a common and easily executed scam that can cost an organization their reputation among customers. This is where SPF (Sender Policy Framework) comes in, to stop malicious attempts at brand impersonation.
An SPF record is a list of IP addresses that have the authority to send emails from a domain (e.g., couch-associates). It’s similar to the way sports teams submit their roster of eligible players before the start of a new season, if a player isn’t on that list, they aren’t eligible to play. Those that aren’t on an SPF record, don’t have the authority to send mails from that domain.
An SPF record, like the one above, is published to a domain’s public records. A server that receives an email will look at the domain that it was sent from, then look up the domain’s SPF record and search for the sender’s IP address. If it finds the address, the message is trustworthy, and is delivered to the recipient’s inbox.
When there is no match, or the server can’t find an SPF record at all, DMARC determines exactly what happens to the email. It could be quarantined, deleted or let through anyway, depending on the sending domain’s DMARC policy.
Why use SPF?
As more organizations adopt SPF, the more important it is becoming to have an SPF record in place to ensure your emails are passing their security checks and getting delivered. Additionally, domains protected by SPF are less likely to be the target of spamming and phishing attempts. These not only harm the company’s future email deliverability, but also their reputation amongst customers and anyone contacted maliciously.