sender policy framework

What Is SPF? Everything You Need to Know About Sender Policy Framework

0

We hear a lot from our readers and customers about email deliverability. Sure, there’s all the buzz about GIFs, Outlook and Gmail inbox changes, but avoiding the spam folder is still top of mind.

We’ve written extensively on DomainKeys Identified Mail (DKIM) and how they affect email deliverability. In this post, we’ll cover another spam-related acronym: SPF or Sender Policy Framework. Read on to learn more about how SPF works and how it compares to other email authentication protocols.

What Is a Sender Policy Framework (SPF)?

SPF is a type of email authentication protocol or a way for a recipient to confirm that an email is truly coming from the sender and is not a piece of spam or a phishing attack.

There are several types of email authentication used to safeguard against spam, including DomainKeys Identified Mail (DKIM) and Domain-based Message Authentication, Reporting and Conformance (DMARC). Each email authentication protocol has a different method and goal.

In the case of SPF, its chief role is to prevent email spammers from using your domain and sending “spoof” emails. Unfortunately, spammers can easily fake email “from” fields – both the “from” the subscriber sees (“header from”) and the return address (“envelope from”). SPF helps protect spoofing of that “envelope from” address.

phishing email example
An example of a phishing email with a spoofed email address and domain. Image source: Phishing.org.

 

SPF verifies sender IP addresses. It gives senders the power to tell recipients which IP addresses you’ve authorized to send email on their behalf. If the email comes from an IP address not listed in the SPF record, the recipient will block the message.

How Does SPF Work?

Senders must set up a SPF record that lists which IP addresses or servers can send email from their domain. The SPF record is a TXT record in the Domain Name System (DNS) sever.

Wait – another acronym?! Unfortunately, yes. A DNS server essentially translates a domain name (such as “emailonacid.com”) into an IP address to find the correct site. Our friends at SendGrid have a more detailed explanation of DNS here.

Once you set up the SPF record in the DNS, a recipient email server will check the IP address sending email from your domain. If that sending IP address matches the SPF in the DNS records, the email has a better chance of landing in the inbox.

Having an SPF record in your DNS also means spammers are less likely to use your domain for a phishing attack. And with a better domain reputation, you’re less likely to land on an email blacklist, which can seriously affect your deliverability.

How Can I Check My SPF?

Email on Acid’s Spam Testing feature offers SPF testing. When you run a test, you will find it under the “Feedback Filters” column. The tool will tell you whether you fail or pass SPF tests, and the result will look like this:

SPF result in Email on Acid spam testing

When testing for SPF, you’ll want to make sure you use the seed list testing method (or “use my SMTP email server” if you have your own SMTP server), so Email on Acid gets results directly from your server. You can learn more about running a spam test here.

There is a third option for spam testing within Email on Acid: sending the test through our domain. While this may be a quick way to test, it won’t give you accurate information about your SPF because the test will be sent using our domain (emailonacid.com), not yours.

If you fail the SPF test, double-check that the SPF entry in your DNS server matches your sending IP address.

Drawbacks of SPF

We should note that SPF isn’t a perfect method for authenticating emails. It doesn’t preferent spammers from spoofing the display name (“header from”), which is visible in the inbox.

SPF also doesn’t work when you forward the email.

With that in mind, it’s important to use other authentication methods, including DKIM and DMARC to ensure your message reaches the inbox.

Learn More About Spam Testing and Deliverability

We’ve got a slew of helpful content for you! Check out these related articles:

Test Your Email First!

Make sure your email looks flawless before you send it out to your subscribers. Remember: A broken email is an unengaged email. With Email on Acid, you can preview your email in more than 70 email clients and devices before you hit “send.” Sign up for our free trial and start testing today.

Sign Up Today

Author: Melanie Graham

Born and raised in New England, Melanie has a background as a writer, editor and journalist. After roaming the U.S. as an expert vagabond, she’s landed in Denver as Email on Acid’s content manager. She’s a music nerd at heart who loves spending time at the piano.

Free Email Goodies