Skip to main content
Skip to article content

What Is SPF and Why Should You Care?

By Ṣọ Email Security5 min read estimated reading time

SPF (Sender Policy Framework) is a DNS record that tells receiving mail servers which IP addresses are authorized to send email on behalf of your domain. Without it, anyone can forge your address and send phishing emails that look like they came from you.

email securitySPFSender Policy Frameworkemail authenticationphishing preventionBECDMARCDKIMDNScybersecurity

What Is SPF in One Sentence?

SPF, or Sender Policy Framework, is a DNS TXT record that specifies which mail servers are authorized to send email on behalf of your domain. When an email arrives, the receiving server checks that record. If the sending IP is not on the approved list, the message can be flagged or rejected outright. One record. One check. One door closed against impersonation.

What Does SPF Actually Mean?

SPF stands for Sender Policy Framework. It is an email authentication protocol defined in IETF RFC 7208 and recommended as a foundational control by NIST Special Publication 800-177.

SPF works at the DNS level. You publish a TXT record on your domain listing every mail server or service authorized to send on your behalf. Receiving servers query that record before accepting or delivering a message.

SPF is one of three core email authentication standards. The other two are DKIM (DomainKeys Identified Mail), which cryptographically signs message content, and DMARC (Domain-based Message Authentication, Reporting, and Conformance), which enforces policy and delivers reporting. All three work together. SPF is the starting point.

"SPF allows the owner of a domain to specify their mail sending policy, e.g. which mail servers they use to send mail from their domain." — IETF RFC 7208

Why Does SPF Matter? What Happens Without It?

Without an SPF record, your domain is an open impersonation target. Any attacker with basic SMTP knowledge can forge your address, send phishing emails to your clients, and create messages that appear to originate from your organization with zero friction.

The numbers make the stakes concrete:

  • The FBI's Internet Crime Complaint Center (IC3) reported that Business Email Compromise (BEC) caused over $2.9 billion in losses in 2023, making it the single costliest cybercrime category tracked.
  • According to the Verizon 2024 Data Breach Investigations Report, phishing was involved in 41% of social engineering incidents, with email remaining the primary delivery channel.
  • NIST SP 800-177 lists SPF as a baseline email authentication control for organizations of all sizes, including small businesses and nonprofits.

SPF does not encrypt your email. It does not stop every phishing attack. What it removes is one of the easiest tools an attacker has: the ability to forge your domain with no barriers.

How Does an Email Spoofing Attack Actually Work?

Understanding the mechanics makes the fix obvious.

Step 1 — Attacker identifies an unprotected domain. They run a simple DNS lookup on your domain. No SPF record found, or the record ends in +all, which authorizes every sender on the internet. Either way, your domain is exploitable.

Step 2 — Attacker crafts a spoofed email. Using freely available SMTP tools, they set your domain in the envelope From field. No login required. No access to your mail server needed.

Step 3 — Email is delivered. Without SPF, the receiving server has no policy to check against. The spoofed message clears basic filters and lands in the inbox looking legitimate.

Step 4 — Victim acts on the message. The recipient sees a trusted domain name, follows instructions, and wires money, shares login credentials, approves a vendor payment change, or opens a malicious attachment.

Step 5 — Damage is done before detection. BEC attacks are frequently discovered days or weeks after the fact. Wire transfers are rarely recovered. The FBI reports that losses from BEC are among the most difficult to claw back of any cybercrime category.

Real Case: The 2020 Puerto Rico Government Wire Fraud

In January 2020, the Puerto Rico Industrial Development Company transferred approximately $2.6 million to a fraudulent bank account after receiving spoofed emails impersonating a legitimate government vendor. The attacker sent a routine-looking change-of-bank-account request that appeared to originate from a trusted sender.

Investigators noted the absence of proper email authentication as a contributing factor that made the spoofed message indistinguishable from legitimate correspondence. The FBI recovered a portion of the funds, but the incident became a widely cited example in federal cybersecurity guidance on email authentication controls.

This was not a zero-day exploit. It was a spoofed email sent to an unprotected domain.

Is Your Domain Protected? SPF Detection Checklist

Run this audit before assuming your domain is secure.

  • SPF record exists. Run dig TXT yourdomain.com or use MXToolbox SPF Lookup to confirm a TXT record starting with v=spf1 is present.
  • Record ends with -all. A hard fail (-all) rejects unauthorized senders. A soft fail (~all) only marks them. The value +all is dangerous — it authorizes every sender on the internet.
  • All sending services are listed. Your mail host, CRM, marketing platform, invoicing tool, and helpdesk system each need to be included if they send email from your domain.
  • Lookup count is under 10. SPF enforces a hard limit of 10 DNS lookups per evaluation. Exceeding it causes SPF to fail silently, leaving your domain unprotected even with a record in place.
  • SPF is paired with DKIM and DMARC. SPF alone is not sufficient. DMARC enforces your policy and delivers weekly reports on who is sending from your domain.
  • Subdomains have their own records. Subdomains do not inherit SPF from the root domain. Each one requires its own TXT record or explicit policy.

How Do You Set Up SPF? Step-by-Step Prevention

Step 1 — Audit all sending sources. List every service that sends email using your domain: your mail provider (Google Workspace, Microsoft 365, Zoho), your email marketing tool (Mailchimp, ConvertKit), your CRM, your invoicing software. Every sender must be represented in the record.

Step 2 — Write your SPF TXT record. A basic SPF record for Google Workspace looks like this:

v=spf1 include:_spf.google.com -all

For multiple services:

v=spf1 include:_spf.google.com include:servers.mcsv.net ip4:192.0.2.1 -all

Step 3 — Publish it in your DNS. Add it as a TXT record at your root domain. Your DNS provider handles this in their management panel. Cloudflare, GoDaddy, and Namecheap all support TXT records.

Step 4 — Validate the record. Use MXToolbox SPF Check or Google Admin Toolbox to confirm syntax is correct and that you are within the 10 DNS lookup limit.

Step 5 — Add DKIM and DMARC. SPF authenticates the sending server. DKIM signs the message content. DMARC ties both together and tells receiving servers what to do when checks fail. Start with p=none to monitor, then move to p=quarantine and p=reject as confidence builds.

Step 6 — Review when sending infrastructure changes. SPF records go stale. Any time you add a new email-sending tool or change providers, audit your SPF record to keep it current.

The Bottom Line

SPF is not optional infrastructure. It is the baseline protection every domain owner owes their contacts and their own reputation. A missing or broken SPF record is an open invitation for attackers to impersonate your organization with zero technical effort.

One DNS record. Fifteen minutes to configure. Billions of dollars in annual fraud that depends on your domain being unprotected.

Trust Aside: Ṣọ Email Security evaluates SPF, DKIM, and DMARC locally on your device. Your emails are never sent to external servers for analysis. AI-powered protection, zero data collection. That's the Ṣọ promise.

Sources: FBI IC3 Annual Report 2023 | NIST SP 800-177 | IETF RFC 7208 | Verizon 2024 DBIR | U.S. DOJ Puerto Rico Wire Fraud Case (2020)