The Sender Policy Framework (SPF) is a mechanism designed to prevent the forging of an email address. A properly configured SPF can prevent someone from forging email messages that pretend to be from your domain, a malicious activity known as spoofing. It can also be used to reduce the volume of unsolicited and malicious messages you receive by blocking spoofed messages from other domains.
Imagine this scenario: A cybercriminal learns the names and roles of your organization's key staff from its website. Then, he poses as an executive by sending a spoofed email message to an administrative assistant. With an urgent tone, the “executive” directs the administrative assistant to purchase Apple Store gift cards worth hundreds or thousands of dollars, and to send him the codes immediately by return email. Or, he may direct that a large sum of money be sent to him by bank draft. Because the request appears to be from a high-ranking executive, and because of the urgent tone, a staff member may act without questioning it.
Even worse, imagine what harm may be caused if a cybercriminal targeted your organization's customers, suppliers, or partners using spoofed messages from your domain!
SPF provides critical protection against would-be attackers.
SPF requires two components to work effectively. The first is a TXT, or text, entry in your domain's Domain Name System (DNS) record. This entry specifies the authorized sources of your organization's email messages. It also indicates what action to take on a message that uses your domain name, but that originates from a source that is not listed in the entry. Message action options are pass, fail, soft fail, and neutral.
The second component is a system that checks the SPF record for each incoming email message, and verifies whether its source is listed on the record. The system then takes the action specified by the SPF record for that domain.
Ready to get started with SPF? Chat with us now, or give us a call.
| Option | Meaning |
| Pass | Allow a message, regardless its source |
| Fail | Block a message if not from an authorized source |
| Soft fail | Allow a message if not from an authorized source, but treat as suspicious |
| Neutral | Take no action on any message |
The first step to enabling SPF on your domain is to determine all of the legitimate sources of email for it. This may include hosted or premises email systems, email marketing services, and possibly remote offices.
The second step is to create the TXT entry in your DNS record using the information gathered in step 1. Online tools, such as MX Toolbox, may be useful in generating the required SPF values. WARNING: Be aware that legitimate messages may be blocked if this is not configured properly.
Unsure whether your SPF record is configured correctly? CITI's email security experts can help. Contact us now.
The SPF TXT record requires the following information:
| Field | Data | Description |
| Domain | @ | Indicates the applicable domain name - “@” means root |
| TTL | 3600, or default | Time to live, in seconds, before record updates may be applied |
| Value | v=spf1... | Value always starts with “v=spf1” - the rest is customized |
Finally, the third step is to enable SPF checks of all incoming email messages. Depending on the email system or service used by your organization, this may be as simple as ticking a checkbox, or as complicated as acquiring an email security device or service with this capability.
Need help? Contact us now or give us a call at 416-603-2442.
While SPF configured in this way offers some protection against spoofing, even more value can be obtained through automated SPF reporting. Reports enable you to track attempts to spoof your domain, and the domains that these attempts targeted. Reports may also help you to expose a misconfiguration of the SPF.
How do you enable automated reporting of SPF? Chat with the experts at CITI for help.
Keep in mind that SPF is not foolproof. Only domains that perform SPF checks can prevent spoofing of your domain against them. Additionally, only domains with an SPF record can enable you to block spoofed messages from arriving.
SPF provides critical protection against would-be attackers. It decreases the risk of forged messages pretending to be sent from your domain, and reduces the number of forged messages received by your organization. In addition, using an SPF reporting service enables you to take action based on real business intelligence.
If you are unsure whether your sender policy framework has been set up properly, get in touch with CITI. We can ensure that all aspects of your email setup use best practices so your address will never be spoofed.