SPF stands for “Sender Policy Framework,” and it is simply a list of IP addresses that you have allowed to send email on behalf of your domain. It is published in the form of a DNS TXT file (see “what is DNS”). SPF was developed in the early 2000s as an anti-spam protocol to stop phishing emails. Does your domain have a valid SPF record? Use the SPF check to find out.
Here’s an example of how it works: you have a company website, example.com. You send email from [email protected] using the Email Service Provider (ESP) SendGrid to send your marketing messages and transactional emails to your customers automatically. In order to stop people from sending email that looks like it’s from you, you set your SPF record (for example.com) to include SendGrid. This adds SendGrid’s mail server IPs to your authorized IP list (your SPF record).
Now, when Sendgrid sends out your next marketing blast to your customer mailing list, the Internet Service Providers (ISP) that provide your customers’ inboxes will check to see if the mail server that sent the email is included in your SPF record. Basically – is that mail server on the list (i.e. allowed to send email from you) or not?
It does get more complicated as you add more and more senders that are authorized to send email for your domain. For example, the number of “look-ups,” or includes, is limited to 10, and staying under that limit can be tricky. Many email service providers rely on nested includes that count against your limit. In practical terms, this means that you can usually only include 2-3 providers before SPF Compression℠ is required. In addition, some emails get forwarded through other mail servers, which breaks the SPF authentication process. That’s why SPF is only part of the solution for email authentication. To learn more about the other protocols, including DKIM and DMARC, watch for our upcoming posts.