Sender Policy Framework

The ''Sender Policy Framework (SPF)'' is a technical method to prevent sender address forgery.  More precisely, the [[Specifications|current version of ''SPF'']] --- called ''SPFv1'' or ''SPF Classic'' --- protects the ''envelope sender address'', which is used for the delivery of messages.  See the box on the right for a quick explanation of the different types of sender addresses in e-mails.

The ''Sender Policy Framework (SPF)'' is an [[Wikipedia:Open standard|open standard]] specifying a technical method to prevent sender address forgery.  More precisely, the [[Specifications|current version of ''SPF'']] --- called ''SPFv1'' or ''SPF Classic'' --- protects the ''envelope sender address'', which is used for the delivery of messages.  See the box on the right for a quick explanation of the different types of sender addresses in e-mails.

Even more precisely, ''SPFv1'' allows the owner of a domain to specify their mail sending policy, e.g. which mail servers they use to send mail from their domain.  The technology requires two sides to play together: '''(1) the domain owner publishes''' this information in an ''SPF'' record in the domain's [[Wikipedia:Domain Name System|DNS]] [[Wikipedia:Domain Name System#How the DNS works in theory|zone]], and when someone else's mail server receives a message claiming to come from that domain, then '''(2) that receiving server can check''' whether the message complies with the domain's stated policy.  If, e.g., the message comes from an unknown server, it can be considered a fake.

Even more precisely, ''SPFv1'' allows the owner of a domain to specify their mail sending policy, e.g. which mail servers they use to send mail from their domain.  The technology requires two sides to play together: '''(1) the domain owner publishes''' this information in an ''SPF'' record in the domain's [[Wikipedia:Domain Name System|DNS]] [[Wikipedia:DNS zone|zone]], and when someone else's mail server receives a message claiming to come from that domain, then '''(2) the receiving server can check''' whether the message complies with the domain's stated policy.  If, e.g., the message comes from an unknown server, it can be considered a fake.

Let's look at an example to give you an idea of how ''SPF'' works.  Bob owns the domain <tt>example.net</tt>.  He also sometimes sends mail through his GMail account.  Since he often receives bounces about messages he didn't send, he decides to publish an SPF record in order to reduce the abuse of his domain in e-mail envelopes:

Let's look at an example to give you an idea of how ''SPF'' works.  Bob owns the domain <tt>example.net</tt>.  He also sometimes sends mail through his [[Frank_Ellermann/Google|GMail]] account and contacted GMail's support to identify the correct SPF record for GMail.  Since he often receives bounces about messages he didn't send, he decides to publish an SPF record in order to reduce the abuse of his domain in e-mail envelopes:

> <pre>example.net.  TXT  "v=spf1 mx a:pluto.example.net include:gmail.com -all"</pre>

> <pre>example.net.  TXT  "v=spf1 mx a:pluto.example.net include:aspmx.googlemail.com -all"</pre>

| <code>include:gmail.com</code> | everything considered legitimate by <tt>gmail.com</tt> is legitimate for <tt>example.net</tt>, too |

| <code>include:aspmx.googlemail.com</code> | everything considered legitimate by <tt>gmail.com</tt> is legitimate for <tt>example.net</tt>, too |

This example demonstrates but a small part of ''SPF's'' expressiveness.  Do <u>not</u> take it as a guideline for building your own record --- things might not work out as you expect and legitimate messages might get blocked!  Instead, learn more about the [[SPF Record Syntax|record syntax]], or get the complete picture by studying the [[Specifications|full specification]].  [[Support|Community support]] is available.

This example demonstrates but a small part of ''SPF's'' expressiveness.  Do <strong>not</strong> take it as a guideline for building your own record --- things might not work out as you expect and legitimate messages might get blocked!  Instead, learn more about the [[SPF Record Syntax|record syntax]], or get the complete picture by studying the [[Specifications|full specification]].  [[Support|Community support]] is available.

The domain sender policies alone are not worth much --- it is the receiving mail servers that need to enforce them.  Most mail servers do not yet support ''SPF'' checking natively, however there are [[Implementations|extensions]] for most open-source MTAs and many commercial ones.  Again, you can get [[Support|community support]].

The domain sender policies alone are not worth much --- it is the receiving mail servers that need to enforce them.  Most mail servers support ''SPF'' checking either natively or through [[Implementations|extensions]].  Again, you can get [[Support|community support]].