What is Sender Policy Framework (SPF) in DNS?

The SPF is a policy that is configured in the domain of the received email to know if it is an authorized server to trigger that email or not.

If not authorized, the message can be marked as SPAM or even prevented from being forwarded to the end user, or even receiving.

The rule is very simple, see the example below:
"v=spf1 a mx -all"

This means that: The email servers authorized to trigger this email are: The server where the domain website (a) is hosted, the server that is currently configured to receive emails from the domain (mx), and includes an SPF containing other authorized servers from another domain, and refuses (or removes) any other email received by another server (-all).

It is always necessary to specify at least the type of SPF used and the last parameter all, which can be:

+ all: (pass): Any server can also trigger emails from this domain.
-all: (fail): No servers other than those listed here can trigger emails from this domain.
~ all: (softfail): No high restrictions, between fail and neutral, can be marked as SPAM, but requests that further tests be performed on the email delivery software (SMTP).
? all: (neutral): No policies have been configured yet or the domain owner does not want to configure. It is the same as not having an SPF policy in the domain.

This does not guarantee that messages are free and marked as SPAM, as currently there are also other message validation tools, such as DMARC and DKIM, and some email providers require that at least 2 rules like these are configured to trust a e-mail message received.

Currently, the most common is to have SPF and DKIM (message signature).


No comments