Sender Policy Framework: SPF 101 (No, Not the Sunblock!) Carly Brantz May 24, 2013 Best Practices // SUMMARIES ?> We know you’re itching for the summer, but put away your bathing suit because we’re not talking about sun protection here. While SPF 101 would provide the ultimate skin protection, we’re actually talking about the SPF that has more to do with our day-to-day jobs—email. SPF stands for Sender Policy Framework. It’s an email authentication method that helps identify the mail servers that are permitted to send email from a particular domain. Using this validation protocol, ISPs can determine when spoofers and phishers are trying to forge emails from your domain to send malicious email to your users. Unfortunately, this is a huge problem plaguing consumer inboxes with repeated and unending attempts to illegally obtain personally identifiable information. Transactional email is particularly susceptible to attacks since spammers rely on existing relationships to drive your user to take action such as confirming an account, resetting a password, or logging in to correct a problem. Since SMTP alone won’t help, you must authenticate your mail using all the tools available to you to prevent these email attacks. This includes SPF. How SPF Works SPF is an open standard that protects the envelope sender. The envelope sender uses path registration (a.k.a. return path) and validates by mapping the IP address to the registered domain name in the MAIL FROM Return and/or the HELO/EHLO SMTP command. You must register an SPF record (or TXT record) using the v=spf1 parameter in the DNS that contains your IP addresses for each mail server authorized to send your messages. ISPs then use the DNS to verify the source and make filtering decisions. If the DNS record passes, then your email can be delivered. (This isn’t to say however that it absolutely will be delivered. As you know, there are many factors that can contribute to delivery failure. In this case if the email isn’t delivered, it won’t be because of SPF failure. To learn more about best sending practices, download our free Deliverability Guide.) Not everyone uses SPF authentication, but receivers that reject based on SPF failure will reject delivery. Some receivers may also quarantine mail that fails SPF without blocking it. Since this can be confusing stuff, we recommend checking out OpenSPF.org that provides a great example policy to show how SPF works. Each SPF record will be a bit different, but you should check to make sure you’ve got it right. Here are three tools that can help validate your records. Scott Kitterman’s SPF Testing Tools: Check to see if an SPF record already exists for your domain, check its validity or test its performance. OpenSPF.org: Review a series of form and email based testers. Google SPF Check: This service is only for Google Message Security customers, and has to be enabled, but it provides two resources for checking SPF by both sender and recipient domain. The Sum of It All Simply put, malicious email hurts your business and degrades the email channel. While SPF won’t prevent spam, it can serve as a deterrent and make you less vulnerable to attacks. Combined with Sender ID and DKIM, SPF provides an extra level of protection that will better support your users by helping ISPs properly identify your email and in turn, the spammers. To learn more about SPF and other authentication protocols, download the SendGrid Email Infrastructure Guide.