Sender Policy Framework (SPF)

What is Sender Policy Framework (SPF)?

SPF stands for "Sender Policy Framework" and its purpose is to prevent unauthorized people from forging (spoofing) your e-mail address and pretending to be you.

SPF has been around for a number of years now, and in recent times has gained popularity as more and more websites and email providers start enforcing it.

SPF is a special type of TXT DNS record.

When an SPF Record is added to a domain, this informs mail servers what to do with email that proports to originate from an email address belonging to that domain.

As an example, let's consider two rival companies - we'll call them "Company A" and "Company B", and assume their respective domains are "companya.com" and "companyb.com".

Without a valid SPF record for companyb.com, it would be possible for a malicious user at Company A to pretend to be someone from Company B by "spoofing" an email appearing to be originating from a @companyb.com email address.

However, with a correctly set SPF record, this would not be possible, and no-one outside of Company B would be able to send emails from @companyb.com email addresses.

In addition to combating malicious intent, setting an SPF record can also become necessary when using cloud hosted software. For example, SaaS editions of our MIDAS booking software are each hosted on a dedicated *.mid.as domains. Our software has the ability to send email - for example, the sending of a booking confirmation to a customer's client. Typically, these email confirmations will want to come from an email address associated with the customer's own public website, and not their hosted MIDAS system on a *.mid.as subdomain.

In order for this to work, the customer would need to setup (or modify) the SPF record for their own public website to effectively "authorize" their hosted MIDAS software to be able to send email on behalf of their organization.