Why You Need a Sender Policy Framework SPF Record
Spam – 5 min read

Why You Need Sender Policy Framework (SPF) for Your Email


Why is SPF Important?


Imagine this scenario: A cybercriminal learns the names and roles of your organization's key staff from its website. Then, he poses as an executive by sending a spoofed email message to an administrative assistant. With an urgent tone, the “executive” directs the administrative assistant to purchase Apple Store gift cards worth hundreds or thousands of dollars, and to send him the codes immediately by return email. Or, he may direct that a large sum of money be sent to him by bank draft. Because the request appears to be from a high-ranking executive, and because of the urgent tone, a staff member may act without questioning it.

Even worse, imagine what harm may be caused if a cybercriminal targeted your organization's customers, suppliers, or partners using spoofed messages from your domain!


SPF provides critical protection against would-be attackers.


How Does SPF Work?


SPF requires two components to work effectively. The first is a TXT, or text, entry in your domain's Domain Name System (DNS) record. This entry specifies the authorized sources of your organization's email messages. It also indicates what action to take on a message that uses your domain name, but that originates from a source that is not listed in the entry. Message action options are pass, fail, soft fail, and neutral.

The second component is a system that checks the SPF record for each incoming email message, and verifies whether its source is listed on the record. The system then takes the action specified by the SPF record for that domain.


Ready to get started with SPF? Chat with us now, or give us a call.


SPF Record Action Options


Option Meaning
Pass Allow a message, regardless its source
Fail Block a message if not from an authorized source
Soft fail Allow a message if not from an authorized source, but treat as suspicious
Neutral Take no action on any message



How do I enable SPF on my Domain?


The first step to enabling SPF on your domain is to determine all of the legitimate sources of email for it. This may include hosted or premises email systems, email marketing services, and possibly remote offices.

The second step is to create the TXT entry in your DNS record using the information gathered in step 1. Online tools, such as MX Toolbox, may be useful in generating the required SPF values. WARNING: Be aware that legitimate messages may be blocked if this is not configured properly.


Unsure whether your SPF record is configured correctly? CITI's email security experts can help. Contact us now.


The SPF TXT record requires the following information:

Field Data Description
Domain @ Indicates the applicable domain name - “@” means root
TTL 3600, or default Time to live, in seconds, before record updates may be applied
Value v=spf1... Value always starts with “v=spf1” - the rest is customized


Finally, the third step is to enable SPF checks of all incoming email messages. Depending on the email system or service used by your organization, this may be as simple as ticking a checkbox, or as complicated as acquiring an email security device or service with this capability.


Need help? Contact us now or give us a call at 416-603-2442.


What More Should I Know About SPF?


While SPF configured in this way offers some protection against spoofing, even more value can be obtained through automated SPF reporting. Reports enable you to track attempts to spoof your domain, and the domains that these attempts targeted. Reports may also help you to expose a misconfiguration of the SPF.


How do you enable automated reporting of SPF? Chat with the experts at CITI for help.


Keep in mind that SPF is not foolproof. Only domains that perform SPF checks can prevent spoofing of your domain against them. Additionally, only domains with an SPF record can enable you to block spoofed messages from arriving.




SPF provides critical protection against would-be attackers. It decreases the risk of forged messages pretending to be sent from your domain, and reduces the number of forged messages received by your organization. In addition, using an SPF reporting service enables you to take action based on real business intelligence.


If you are unsure whether your sender policy framework has been set up properly, get in touch with CITI. We can ensure that all aspects of your email setup use best practices so your address will never be spoofed.



Learn about your IT security. Register for a free cybersecurity consultation.  Book Now Considering moving to the cloud? Find out if the cloud is right for your  company.Book Now
Guide to Email Security from our Practice Safe Cyber Series Download Your Poster
Global Toronto and CreateTO City of Toronto Agencies Case Study
Learn about your IT security. Register for a free cybersecurity consultation.  Book Now
Guide to Ransomware Attacks in Canada
Considering moving to the cloud? Find out if the cloud is right for your  company.Book Now
New IT Infrastructure Transforms Organization. KCI Ketchum Canada
Engage our services and get 10 hours free. It's easy to work with CITI. Become  a client.Book Appointment

IT Insights from our Blog

Read more

We're here to help!

Moving to the Cloud

Is your management team asking about your IT security policies and practices? Are you worried about a cybersecurity breach? CITI’s comprehensive IT security services provide all the information your company needs to deal with current and future security situations and concerns. Learn about your IT security. Register for a free cybersecurity session.

Managed Services

There is another way to manage your IT that doesn’t require you call your IT firm. Managed IT services offer proactive care, support, monitoring and maintenance of your computer systems for a fixed monthly fee. Process-driven, less involvement, more predictable cost. Yes, Virginia, there is a way to keep your IT running smoothly that does not require you to make a call.


Are you concerned about minimizing IT maintenance costs? Perhaps you’re techno savvy. Or maybe you only need an IT firm for complex IT situations. CITI can provide exactly the volume of IT services that you want and need from network troubleshooting to helping a user with a jammed printer. Our full range of services are available on a per incident basis.

Disaster Recovery

Is the stuff of your nightmares power outages? The only way to deal with a severe interruption to business operations is to plan for it. Beginning with a disaster recovery plan through implementing and maintaining failsafe, foolproof, rock-solid offsite backups, CITI has helped 100s of companies protect their most valuable asset—their data and systems.

IT Consulting

Uncertain if your company should move to the cloud? Do you have doubts about the best way to back up your data? Looking for ways to minimize your vulnerability to IT security breaches? Perhaps you’re looking for help with your annual IT budget. CITI’s IT advisory services help businesses make informed strategic and tactical decisions on information technology.

Call Us