What is RFC 7208 (SPF)?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
Before the internet had organized email standards, anyone could send an email claiming to be from anyone. RFC 7208 is the document that defines SPF (Sender Policy Framework). One of the key standards that changed this.
An RFC (Request for Comments) is how internet standards are formally defined. RFC 7208, published in 2014, replaced an earlier SPF spec and defines exactly how the Sender Policy Framework works: the record syntax, how receivers should evaluate it, what results mean, and how to handle edge cases.
What SPF actually does: it lets a domain owner publish a list of IP addresses that are allowed to send email on behalf of that domain. When a receiving mail server gets a message claiming to be from captain@deepcurrent.io, it looks up deepcurrent.io's SPF record in DNS. If the sending IP is on the list, it passes. If not, it fails. This makes it harder for spammers to forge your domain in the "envelope from" address.
The RFC defines the syntax you see in SPF records: mechanisms like ip4: (allow specific IPv4 addresses), include: (include another domain's allowed senders), a and mx (allow the domain's A record or MX servers), and qualifiers like ~all (softfail) and -all (hard fail).
SPF alone isn't enough for full authentication. It has a known weakness with email forwarding, and it only protects the envelope from address, not the header from. That's why DKIM and DMARC are used alongside it. You can check your SPF record is correctly formatted with our free SPF checker.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.