How to Explain SPF in Plain English

Posted by Matt Moorehead on

Email authentication can be highly technical and extremely confusing. Even the most seasoned security professionals need help both navigating this space and explaining it in digestible yet accurate terms to non-technical colleagues.

At Return Path, we believe clarity is essential when it comes to communicating the value of email security.

In this three-part blog series, we’ll explain the most important email authentication protocols—SPF (Sender Policy Framework), DKIM (Domain Keys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting & Conformance)—in plain English. We’ll start with SPF.

But before we do, it’s important to understand the vulnerabilities of email messages.

Two “From” Addresses

Email messages contain two “from” addresses: the “envelope from” (e.g., return path or mfrom) and the “header from” (e.g., the friendly from).

The “envelope from” is the return address—it tells mail servers where to return, or bounce, the message back to. It’s contained in the hidden email message header, which includes technical details servers use to to understand who the message is for, what software was used to compose it, etc.

Email messages contain two “from” addresses: the “envelope from” and the “header from” (Click to Tweet!)

The “header from” address is an address contained in the From: field of an email, which is visible to all email users.

Both of these addresses can be spoofed by cybercriminals relatively easily. That’s where email authentication comes in.

SPF (Sender Policy Framework)how_to_explain_spf__in_plain_english___1_

What it is: SPF is an email authentication protocol that allows the owner of a domain to specify which mail servers they use to send mail from that domain.

How it works: Brands sending email publish SPF records in the Domain Name System (DNS). These records list which IP addresses are authorized to send email on behalf of their domains.

During an SPF check, email providers verify the SPF record by looking up the domain name listed in the “envelope from” address in the DNS. If the IP address sending email on behalf of the “envelope from” domain isn’t listed in that SPF record, the message fails SPF authentication.

Brands sending email…list which IPs are authorized to send email on behalf of their domains (Click to Tweet!)

Why it matters: An SPF-protected domain is less attractive to phishers, and is therefore less likely to be blacklisted by spam filters, ensuring legitimate email from that domain is delivered.

But SPF has a few major problems:

  1. Keeping SPF records updated as brands change service providers and add mail streams is difficult due to lack of visibility.
  2. Just because a message fails SPF, doesn’t mean it will always be blocked from the inbox—it’s one of several factors email providers take into account.
  3. SPF breaks when a message is forwarded.
  4. SPF does nothing to protect brands against cybercriminals who spoof the display name or “header from” address in their message, which is the more frequently spoofed “from” address since it’s the address most visible to the email recipient.

Ready to create your SPF record? Find out how to do it here.

In the next post in this series, we’ll break down DKIM, arguably the most complex of all email authentication protocols.


Popular this Month

 3 Trends Impacting Email: Persistent Fraud, Part 2

3 Trends Impacting Email: Persistent Fraud, Part 2

In part one of this three-part series, I examined the evolving landscape of...

Read More

 The Top 16 Topics of 2016

The Top 16 Topics of 2016

2017 is finally here! But before we focus on the year ahead, we wanted to...

Read More

 Think Fighting Email Fraud is Someone Else’s Job? Here’s the Real Cost of Doing Nothing.

Think Fighting Email Fraud is Someone Else’s Job? Here’s the Real Cost of Doing Nothing.

Cyberattacks against your brand can be very damaging and costly to both your...

Read More

Author Image

About Matt Moorehead

Matt Moorehead is a Strategic Project Manager for Return Path's Email Fraud Protection team. He works closely with top brands on technical and strategic initiatives to eliminate the impact of email fraud. In his spare time you can find Matt on the golf course or the ski slopes. Connect with him on LinkedIn @Matt Moorehead, IMBA, or @mattmooreheadRP on Twitter.

Author Archive

Stay up to date

Enter your name and email address below to subscribe to our mailing list.

Your browser is out of date.
For a better Return Path experience, click a link below to get the latest version.