Sender Policy Framework (SPF)

By | 29 October, 2013

Sender Policy Framework (SPF) is an email validation system designed to prevent email spam by verifying sender IP addresses. Sender Policy Framework allows administrators to specify which hosts are allowed to send mail from a given domain. Sender Policy Framework published by Internet Engineering Task Force (IETF) in RFC 4408.

How Sender Policy Framework works

In high level, consider user@abc.com want to send email to user@def.com. abc.com’s domain are protected by Sender Policy Framework by define only authorize 1.2.3.4’s IP.

1) abc.com mail server with IP Address of 1.2.3.4 sends a message FROM user@abc.com TO user@def.com
2) def.com mail server receive the email and using DNS lookup TXT for abc.com, looking for the SPF record
3) def.com will compares the 1.2.3.4 IP Address agains the abc.com SPF record
3.1) If match and allow, email will accepted (in this case it’s matched!!)
3.2) If no, email will rejected

What happen if someone from 5.6.7.8’s IP Address spoof the email and send as user@abc.com? Recipient server will compare the SPF record for abc.com and findout it’s not authorize IP, then it’s will reject the email.

Below is the diagram how the SPF works :

sender policy framework

How to implement SPF

Owner domain creating a specific SPF record (or TXT record) in the Domain Name System (DNS).

What Sender Policy Framework record means

 

How to verify or validate Sender Policy Framework

You can verify & validate the domain SPF record using below tools :

1) mxtoolbox.com’s website
2) Kitterman’s website
3) Openspf’s website

Further Reading

There are other mechanisms as well, but hopefully this post is enough to teach you the basics about SPF. The SPF project is a great resource and the section on record syntax goes into much more detail about the different parts of the SPF record.

References

1) SPF Project 
2) Explaining SPF

Leave a Reply

Your email address will not be published. Required fields are marked *


The reCAPTCHA verification period has expired. Please reload the page.