Site icon Sophos News

What is… SPF?

Welcome to our What is… series,
where we turn technical jargon into plain English.

SPF is short for Sender Policy Framework.

SPF allows an organisation to make a public declaration about which servers are authorised to send email on its behalf, thus – in theory – making phishing emails from imposters easier to spot.

Creating bogus emails is, unfortunately, very easy: when I send you an email, I can identify myself however I wish, using special email headers known as Originator Fields, for example:

From: Paul Ducklin <paul@acme.example>
Sender: Paul Ducklin <paul@acme.example>
Reply-to: Paul Ducklin <paul@acme.example>

These headers are entirely up to me – they’re sent just in front of the actual content of the message – so I can claim to have any name I want, and an email address at any company I like, to give myself an air of legitimacy I don’t deserve.

For example, if I know you’ve recently bought products from a company called Big Corp, and I know by looking on Big Corp’s website that the sales manager in your region is Steve Meone, I could adjust my email headers to look like this:

From: "S. O. Meone" <someone@bigcorp.example>
To: Your Name Here <you@example.com>

Dear Your Name,

As an existing customer, you'll be delighted to know that one of our
partners is currently offering 25% off next year's subscription:

[. . . bogus web link here . . .]

Best regards,

Steve Meone

If this message reaches your inbox, it will look much more believable than a spam sent via a free webmail service, or from a company or country you’ve never heard of.

This trick is known as spoofing.

So, SPF allows your email server to ask the internet, “Where is email claiming to be from bigcorp.example supposed to originate?”

By checking that emails came from authorised sending servers before accepting them in the first place, your own email gateway can throw away spoofed messages that are pretending to be from companies that didn’t send them .

If you know up front that an email came from an imposter, you don’t need to waste time examining the email and its attachments for spam, phishing, malware or other cybercriminality – you can discard it immediately.

Pros of SPF

Cons of SPF

Exit mobile version