- HOME
- Security and Privacy
- What is a Sender Policy Framework?
What is a Sender Policy Framework?
- Published : December 30, 2023
- Last Updated : November 28, 2024
- 670 Views
- 5 Min Read
The ever-growing cybersecurity landscape has led to various mitigation mechanisms to combat the attacks. One such mechanism is the Sender Policy Framework—or SPF for short. SPF allows a domain to specify all of the servers or IP addresses that can send emails on their behalf. If you use your domain to send transactional emails, adding SPF records for your domain will help you secure your domain and improve your credibility.
SPF works with other email authentication protocols like DKIM and DMARC in protecting the emails you send. This article is will focus on what SPF is and how it works, to give you a better understanding on how it helps with your domain reputation and deliverability.
What is SPF?
SPF is an email authentication mechanism used to validate the sender domain. This is done by adding this record to the sender's DNS repository. This record here contains a list of all the domains and IP addresses that are allowed to send emails for the sender's domain. The receiving server, once it receives the email, will then cross-check the sender details from the published list and take the necessary action.
Say you use ZeptoMail for your transactional emails and Campaigns for your marketing emails. Your SPF record will look like this:
v=spf1 include:zeptomail.net include:zcsend.net ~all
Emails sent from anyone other than the ones specified will not be allowed to pass. SPF validation is mainly done for domains. However, you can add the allowed IPs to your SPF record as well.
Why should I add an SPF record?
An SPF helps you protect your domain against spoofing and phishing attacks and is essential in protecting your transactional emails, too.
How? Transactional emails are optimized to be delivered on time; in fact, they’re delivered practically as soon as an action is performed. One major factor that ensures this is sender reputation; in other words, how the receiving server perceives the sender. If the receiving server finds the sender trustworthy, it will effortlessly allow the emails to pass through. Adding certain records—in this case an SPF—will help you reinforce your credibility to the receiver and tell it that you are legitimate.
Email authentication methods like SPF, DKIM, and DMARC allow you to authenticate or validate the emails sent from your domain. This is because, even if you own a domain, you usually rely on third-party services, like ZeptoMail, to send out emails for you. Without proper SPF records, it would imply that anyone can send emails for you. Moreover, even though you can send emails without proper email authentication, adding these records will give a layer of security and the internet service providers (ISPs) will trust your domain better. This would translate into your emails reaching the customers' inbox faster.
Let’s look at how SPF works to protect your emails.
How does SPF work?
One notable point about SPF authentication is that it doesn't validate against the From address; rather, it uses the domain mentioned in the return path. The return path is used to capture the bounced email. So, even if the sender uses a counterfeit email address, the email could pass the authentication check if the return path domain is validated. SPF works along with DKIM and DMARC to protect your domain from being spoofed by bad actors. Below is a high-level working example of an SPF:
- The sending server crafts an email and sends it to the intended recipient, with the return path being, let’s say, bounce@abc.com.
- The receiving server obtains the return path address and looks up the domain's (“abc” in this case) DNS records.
- This lookup will yield all of the records published by the domain, including the SPF.
- The receiver then scans the SPF for the list of servers eligible to send emails on behalf of the sender.
- If the sending server matches with the ones in the list, the email will be allowed to pass through and be delivered to the inbox. Otherwise, the recipient can either choose to reject or hold it based on the instructions provided by the sender.
How to add an SPF record?
Adding an SPF to your DNS is pretty simple and straightforward. It’s important to remember that you should list all of the domains and IP addresses in a single SPF record and not add multiple records. Having multiple SPF records will result in an SPF authentication fail. If you’re using an email service provider to send your emails, all you have to do is copy and paste the SPF value provided by your email service provider in your DNS settings page. If you’ve already published an SPF record for your domain, you can simply append the new values to it.
What does an SPF look like?
A typical SPF record is a combination of mechanisms and qualifiers. Mechanisms and qualifiers differ based on their roles. Let’s break down the SPF record and see what each parameter means.
SPF record: V= spf1 include:zeptomail.net~all
Mechanism
A mechanism defines what servers are allowed to send emails for a domain. The most commonly found mechanisms in an SPF record are :
- All
- Ip4/Ip6
- A
- Mx
- Include
all - This mechanism means that the receiving server should accept the message from any IP or server. This mechanism is listed at the end of the syntax and is always followed by a qualifier (+, -, ~) to specify the action to be performed once the receiver accepts. Any mechanism that comes after "All" will be ignored.
IP4 - Used to list all of the accepted Ipv4 address or range of addresses. If no prefix-length is mentioned, /32 is assumed.
IP6 - Used to list all of the accepted Ipv6 address or range of addresses. If no prefix-length is mentioned, /128 is assumed.
a - Lists all of the A records for the sender. The receiver should look up the host name listed next to this mechanism to obtain the IP address or addresses. It should then match the source IP with the one obtained from the lookup to accept, reject, or mark as suspicious.
mx-Specifies the mx records to be looked up. A DNS search on those mx records will be done to identify the a records. The process is similar to how the a records mentioned above will be carried out.
include-Include allows you to authorize the third-party email servers to send emails on your behalf.
Qualifiers
Qualifiers are added at the end of mechanisms and are used if a mechanism is cleared. There are four types of qualifiers that can be used:
- + (Pass) -This qualifier indicates that all of the matched records will be allowed to pass.
- - (Fail) -This is used to narrow the matched records down to just one or two records. For example, for v=spf1 +mx -all, only the mx matching the one mentioned will be allowed to pass; everything else will be rejected.
- ~ (Softfail) -This indicates that the result is inconclusive. The receiver will accept the email, but will mark it as an SPF fail.
- ? (Neutral) -This qualifier specifies that no information can be provided and that the receiving server accept all of the emails.
SPF in ZeptoMail
Adding your SPF records is a mandatory step in your account creation process. You should add your records in order to verify the domain that will use ZeptoMail to send your transactional emails. Refer to our guide here to add and verify your domain in ZeptoMail.