SPF (Sender Policy Framework)

SPF (Sender Policy Framework) is an email authentication standard defined in RFC 7208 that allows domain owners to publish a list of authorized sending mail servers via a DNS TXT record. When a receiving mail server gets an email, it checks whether the sending server's IP address matches the domain's SPF record. If the IP is not listed, the message fails SPF, signaling a potential spoofing or phishing attempt.

SPF failures are a primary indicator of email spoofing and business email compromise (BEC), making it a critical signal in phishing investigations. DFIR practitioners analyze SPF results to determine whether a malicious email originated from an infrastructure the domain owner controls or from an attacker-controlled server. Misconfigured SPF records — such as overly permissive +all or missing records — also expose organizations to deliverability abuse and impersonation attacks.

A domain owner publishes a DNS TXT record for their domain (e.g., v=spf1 include:_spf.google.com ip4:192.0.2.0/24 -all) listing authorized IP ranges and third-party senders. When an email arrives, the receiving MTA performs a DNS lookup on the envelope sender's domain (the MAIL FROM address, also called the Return-Path) and checks whether the connecting server's IP is authorized. The result is one of several qualifiers: Pass, Fail, SoftFail, Neutral, None, TempError, or PermError. Critically, SPF authenticates only the envelope sender, not the visible From header — meaning SPF alone does not prevent header spoofing, which is why DMARC alignment checks are required to close that gap. SPF lookups are limited to 10 DNS lookups per evaluation; exceeding this limit causes a PermError, a common misconfiguration that breaks authentication silently.