Sender Policy Framework (SPF) is an email authentication protocol that helps verify an email's true sender, protecting against email spoofing and phishing attacks. SPF allows domain owners to specify which mail servers are authorized to send email on behalf of their domain.
How SPF works
A domain owner publishes an SPF record in their Domain Name System (DNS) that lists all IP addresses and mail servers authorized to send email from that domain.
When an email is received, the recipient's mail server checks the SPF record in the sender's DNS, using the Return-Path (envelope sender) in the email headers.
The receiving server compares the IP address of the sending server against the list of authorized IP addresses in the SPF record.
If the sending IP address is on the authorized list, the email passes SPF authentication and proceeds to delivery (subject to other checks). If not, the mail is handled according to the SPF record's policy:
"-all" (hard fail): Reject unauthorized messages
"~all" (soft fail): Accept but mark messages from unauthorized senders
"?all" (neutral): No policy statement
SPF is one of three main email authentication standards, alongside DKIM (DomainKeys Identified Mail) and DMARC (Domain-based Message Authentication, Reporting, and Conformance). Together these protocols form a comprehensive email authentication framework. SPF alone is not sufficient to prevent all spoofing attacks, as it only verifies the envelope sender, not the displayed "From" address. DMARC alignment is needed to tie SPF results to the visible sender address.
Pangratis works alongside email authentication protocols like SPF to provide comprehensive protection against spoofing, impersonation, and phishing attacks that may evade authentication checks alone.