Sender Policy Framework (SPF)

Sender Policy Framework (SPF) is an [[Email Authentication]] method which ensures the sending [[mail server]] is authorized to originate mail from the email sender's [[Domain]].^[[Sender Policy Framework - Wikipedia](https://en.wikipedia.org/wiki/Sender_Policy_Framework)] When an email is sent from a [[domain]] the receiving server will check the SPF records to see if the email has been sent from an authorized IP address. These IP addresses are specified in a TXT record that is published in the domain owner’s [[Domain Name System (DNS)|DNS]]. This list is known as the SPF record.^[[SPF Hard fail vs SPF Soft fail | OnDMARC Help Center (redsift.com)](https://knowledge.ondmarc.redsift.com/en/articles/1148885-spf-hard-fail-vs-spf-soft-fail)] ## SPF Failure There are two types of SPF failures - SPF **softfail** and SPF **hardfail**. A hardfail indicates that an email is definitely not authorized, whereas a softfail means that an email has _probably not_ been authorized. For the email recipient, it determines the treatment of the email; a hardfail tells the recipient to reject the email, whereas a softfail suggests it should be diverted to spam. # Implementation ## Mechanisms | Mechanism | Definition | | --------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | ALL | Matches always; used for a default result like `-all` for all IPs not matched by prior mechanisms. | | A | If the domain name has an address record (A or AAAA) that can be resolved to the sender's address, it will match. | | IP4 | If the sender is in a given [IPv4](https://en.wikipedia.org/wiki/IPv4 "IPv4") address range, match. | | IP6 | If the sender is in a given [IPv6](https://en.wikipedia.org/wiki/IPv6 "IPv6") address range, match. | | MX | If the domain name has an [MX record](https://en.wikipedia.org/wiki/MX_record "MX record") resolving to the sender's address, it will match (i.e. the mail comes from one of the domain's incoming mail servers). | | PTR | If the domain name ([PTR record](https://en.wikipedia.org/wiki/PTR_record "PTR record")) for the client's address is in the given domain and that domain name resolves to the client's address ([forward-confirmed reverse DNS](https://en.wikipedia.org/wiki/Forward-confirmed_reverse_DNS "Forward-confirmed reverse DNS")), match. This mechanism is discouraged and should be avoided, if possible.[[13]](https://en.wikipedia.org/wiki/Sender_Policy_Framework#cite_note-rfc7208-txt-13) | | EXISTS | If the given domain name resolves to any address, match (no matter the address it resolves to). This is rarely used. Along with the SPF macro language it offers more complex matches like [DNSBL](https://en.wikipedia.org/wiki/DNSBL "DNSBL")-queries. | | INCLUDE | References the policy of another domain. If that domain's policy passes, this mechanism passes. However, if the included policy fails, processing continues. To fully delegate to another domain's policy, the _redirect_ extension must be used. | | ## Qualifiers - **`+`** for a PASS result. This can be omitted; e.g., `+mx` is the same as `mx`. - **`?`** for a NEUTRAL result interpreted like NONE (no policy). - **`~`** (tilde) for SOFTFAIL, a debugging aid between NEUTRAL and FAIL. Typically, messages that return a SOFTFAIL are accepted but tagged. - **`-`** (minus) for FAIL, the mail should be rejected (see below). >[!Note] >A domain MUST NOT have multiple SPF records otherwise SPF fails with PermError