What problem was SPF created to solve?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
Before SPF, anyone could send email claiming to be from any domain. There was no technical mechanism for mailbox providers to verify that an email claiming to be from "updates@yourbank.com" actually came from your bank's servers. Versus someone else's server pretending to be your bank. That gap made domain spoofing trivial and email-based phishing easy.
SPF (Sender Policy Framework) addresses this by letting domain owners publish a list of authorized sending IP addresses in DNS. When an email arrives claiming to come from your domain, the receiving server checks your SPF record to see if the sending IP is on that list. If it's not, the email fails SPF. A signal it may be spoofed.
But The catch worth knowing: SPF validates the envelope from address (the Return-Path that mail servers use), not the visible From header your recipients see in their email client. A spoofed From header can still pass SPF if the attacker uses their own domain in the envelope. That's why SPF alone isn't enough. DKIM adds a cryptographic signature, and DMARC ties everything together by aligning the visible From domain with the authenticated domain.
If you haven't checked your SPF record recently, the free SPF Checker shows your current record and flags common misconfiguration issues like too many DNS lookups or missing sending sources.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.