What is… SPF?

Paul Ducklin

6 years ago

Welcome to our What is… series,
where we turn technical jargon into plain English.

SPF is short for Sender Policy Framework.

SPF allows an organisation to make a public declaration about which servers are authorised to send email on its behalf, thus – in theory – making phishing emails from imposters easier to spot.

Creating bogus emails is, unfortunately, very easy: when I send you an email, I can identify myself however I wish, using special email headers known as Originator Fields, for example:

From: Paul Ducklin <paul@acme.example>
Sender: Paul Ducklin <paul@acme.example>
Reply-to: Paul Ducklin <paul@acme.example>

These headers are entirely up to me – they’re sent just in front of the actual content of the message – so I can claim to have any name I want, and an email address at any company I like, to give myself an air of legitimacy I don’t deserve.

For example, if I know you’ve recently bought products from a company called Big Corp, and I know by looking on Big Corp’s website that the sales manager in your region is Steve Meone, I could adjust my email headers to look like this:

From: "S. O. Meone" <someone@bigcorp.example>
To: Your Name Here <you@example.com>

Dear Your Name,

As an existing customer, you'll be delighted to know that one of our
partners is currently offering 25% off next year's subscription:

[. . . bogus web link here . . .]

Best regards,

Steve Meone

If this message reaches your inbox, it will look much more believable than a spam sent via a free webmail service, or from a company or country you’ve never heard of.

This trick is known as spoofing.

So, SPF allows your email server to ask the internet, “Where is email claiming to be from bigcorp.example supposed to originate?”

By checking that emails came from authorised sending servers before accepting them in the first place, your own email gateway can throw away spoofed messages that are pretending to be from companies that didn’t send them .

If you know up front that an email came from an imposter, you don’t need to waste time examining the email and its attachments for spam, phishing, malware or other cybercriminality – you can discard it immediately.

Pros of SPF

SPF checks are quick and easy, and can speed up the process of blocking spam.
Publishing proper SPF data for your own organisation shows that you care about security.

Cons of SPF

Many companies have missing, incomplete or inaccurate SPF data, which reduces the effectiveness of the system.
Being strict about SPF checking may stop you receiving emails from some customers and prospects.