What is SPF, or Sender Policy Framework?

SPF (Sender Policy Framework) is an email authentication protocol that checks the sender's IP address against a list of IPs located on the domain listed in the Return Path header of the email. This list is known as the SPF record.

Find out your SPF configuration

OnDMARC’s free tool, Investigate, lets you verify your SPF set up to ensure they actually authenticate your emails correctly.

What does an SPF failure mean?

An SPF failure occurs when the sender's IP address is not found in the SPF record. This can mean the email is sent to spam or discarded altogether.

We will use two examples to explain the difference between SPF hard fail and SPF soft fail.

SPF hard fail example:

v=spf1 ip4:192.168.0.1 -all

In the above example the minus “-” in front of “all” means that any senders not listed in this SPF record should be treated as a "hardfail", ie. they are unauthorised and emails from them should be discarded. In this case only the IP address 192.168.0.1 is authorized to send emails.

SPF soft fail example:

v=spf1 include:spf.protection.outlook.com ~all

In the above example the tilde “~” in front of “all” means that any servers not listed in this SPF record should be treated as a "softfail", ie. mail can be allowed through but should be tagged as spam or suspicious. In this case the include:spf.protection.outook.com authorizes Office 365 to send emails. Any emails originating from different servers should be marked as spam by the receivers. 

However, irrespective of which failure mode you specify, receiving servers are unlikely to honour your requested behaviour. To understand why, check our SPF and DMARC article below.

Overcome the SPF 10 DNS lookup limit with clicks, not code.

OnDMARC also has a unique feature called Dynamic SPF. This allows you to replace your SPF record with a dynamic include and then update your SPF record from the OnDMARC interface!

Find out more below. 

If you would like to see our OnDMARC product in action, feel free to sign up to a 14 day trial account using the button below.

Did this answer your question?