Sender Policy Framework (SPF) is an email authentication protocol that works by setting up SPF records on a domain’s DNS records that contain a list of authorized mail servers that can send emails on the domain's behalf.
When an email is sent by a domain, the receiving mail server will check the SPF record of the domain to ensure that the sending server has been authorized to send emails on their behalf.
If the SPF record check passes, the email is considered valid and continues to deliver the email.
If the SPF record check fails, the email is considered to be from an unauthorized source, and the message is flagged and treated as suspicious or rejected.
For example, if you want to authorize Google and Microsoft as trusted mailing servers, your SPF record may look something like this:
v=spf1 include:_spf.google.com include:spf.protection.outlook.com ~all
v=spf1 - Tells the server the version of the SPF record and that the SPF record exists.
include:_spf.google.com include:spf.protection.outlook.com - This means that if an email is sent from any other provider not listed above, it will not pass the SPF validation.
~all - Indicates that if the sending server is not listed in the SPF record, the email should be accepted but treated as suspicious.
Pro Tip: for domains that do not send emails, use the following SPF record: v=spf1 -all
This will ensure that no IP addresses or domains are authorized sources for this domain. All emails should be rejected. This will protect your domain from spoofing attacks.
