Email Verification & Marketing

How to Explain SPF in Plain English

minute read

Post Image

The world of email has its share of bad apples. 

Phishing and spoofing attacks have skyrocketed over the past few years. And unfortunately, the bad actors responsible are getting smarter and more dangerous by the day. 

Mailbox providers and internet service providers have responded to these increased threats by requiring certain authentication measures to be in place for successful mail delivery. 

But let’s face it: Email authentication can be extremely technical and confusing. Even the most seasoned email security professionals need help navigating this space and explaining it in digestible terms. 

At Validity, we’re all about clarity. In this blog, we’ll explain one of the most important email authentication protocols, the Sender Policy Framework (SPF).  

We’ll cover how to use SPF to prevent email fraud, protect your brand reputation, and boost your email deliverability. Best of all, we’ll do it in plain English. 

Email’s vulnerabilities 

Email is a top revenue-driving channel for most businesses. But hey, it isn’t perfect. Before we master SPF, it’s important to understand the vulnerabilities of email messages. 

Two “from” addresses 

Email messages contain two “from” addresses: the “envelope from” (e.g., return path) and the “header from” (e.g., the friendly from). 

The “envelope from” is the return address. It tells mail servers where to return or bounce the message back to, when relevant. It’s located in the hidden email message header, which includes technical details servers use to understand who the message is for and what software was used to compose it. 

The “header from” address is an address contained in the “from:” field of an email, which is visible to all email users. 

The problem? Cybercriminals can use or spoof both addresses relatively easily. That’s where email authentication comes in. 

SPF (Sender Policy Framework)

What it is: SPF is an email authentication protocol that allows the owner of a domain to specify which mail servers they use to send mail from that domain.

How it works: Brands sending email publish SPF records in the Domain Name System (DNS). These records list which IP addresses are authorized to send email on behalf of their domains.

During an SPF check, email providers verify the SPF record by looking up the domain name listed in the “envelope from” address in the DNS. If the IP address sending email on behalf of the “envelope from” domain isn’t listed in that SPF record, the message fails SPF authentication.

Think of the SPF record like the guest list of an exclusive VIP event: If your name isn’t on the list, there’s no chance you’ll get past the door. Similarly, if an SPF record doesn’t have a sender’s IP address on its list, the email provider will either block the emails or mark them as spam. 

Why does SPF matter? An SPF-protected domain is less attractive to phishers. Therefore, it’s less likely to be blocklisted by spam filters, which helps ensure that legitimate emails from your domain are actually delivered. 

But SPF has a few shortcomings

That all sounds great, right? Like email, SPF isn’t perfect. Marketing and security professionals should beware of the following SPF shortcomings that might leave their programs vulnerable to cyberattacks. 

1. SPF records need to be updated consistently as businesses change email service providers and add mail streams.

But it can be difficult to stay ahead of these updates when members of the team lack visibility of the SPF record and its importance. 

To address this issue proactively, ensure your team is aware of all platforms and sending domains your organization uses. Schedule regular meetings with your IT and security departments to stay ahead of any changes. 

2. SPF breaks when a message is forwarded. 

It’s normal for SPF to break when messages are forwarded. So, it’s important that senders don’t rely solely on SPF for email authentication. Read our article here about DKIM and how it provides additional protection for your email program.  

3. SPF does nothing to protect brands against criminals who spoof the display name or “header from” address in their message.  

This is the more frequently spoofed “from” address since it’s the address most visible to the email recipient. 

Check out the example below. The spoofed PayPal address is similar enough to the real thing that subscribers might not notice anything’s amiss—until it’s too late. 

How to explain SPF in plain English.

Authentication protocols, including SPF, don’t prevent this type of spoofing. That’s because the mail is sent from a legitimate email address that’s unrelated to the spoofed organization’s mail servers and sending domain.

Therefore, it doesn’t get caught via standard authentication protocols. 

SPF: One component of a full authentication strategy 

SPF may not be foolproof in preventing malicious senders from impersonating your brand and sending domain, but it’s certainly a step in the right direction.  

But SPF is just one key component of a full email authentication strategy. SPF is most effective when it’s implemented alongside DKIM and a strong DMARC policy of reject.  

Ready to build your SPF record? Find out how to do so here.