What is SPF?
SPF (Sender Policy Framework) is an email authentication protocol that checks the senders IP address against a list of IP’s located on the domain listed in the return path of the email. This list is known as the SPF record.
Find out your SPF configuration
OnDMARC’s free tool Investigate lets you verify your SPF set up to ensure they actually authenticate your emails correctly.
What does an SPF failure mean?
SPF Failure occurs when the senders IP address is not found in the SPF record. This can mean the email is sent to spam or discarded altogether.
We will use two examples to explain the difference between SPF hard fail and SPF soft fail.
SPF hard fail example:
v=spf1 ip4:192.168.0.1 -all
In the above example the minus “-” in front of “all” means that any senders not listed in this SPF record should be treated as a "hardfail", ie. they are unauthorised and emails from them should be discarded. In this case only the IP address 192.168.0.1 is authorized to send emails.
SPF soft fail example:
v=spf1 include:spf.protection.outlook.com ~all
In the above example the tilde “~” in front of “all” means that any servers not listed in this SPF record should be treated as a "softfail", ie. mail can be allowed through but should be tagged as spam or suspicious. In this case the include:spf.protection.outook.com authorizes Office 365 to send emails. Any emails originating from different servers should be marked as spam by the receivers.
However, irrespective of which failure mode you specify, receiving servers are unlikely to honour your requested behaviour. To understand why check our SPF and DMARC article below.
Overcome the SPF lookup limit with clicks not code
OnDMARC also has a unique feature called Dynamic SPF. This allows you to replace your SPF record with a dynamic include and then update your SPF record from the OnDMARC interface! It clicks not code.
Find out more below.