« SES Articles & Guides

A Deep Dive into SPF: How Sender Policy Framework Works

A Deep Dive into SPF: How Sender Policy Framework Works

Sender Policy Framework (SPF) is an email authentication protocol designed to combat email spoofing and protect domains from unauthorized use. It plays a crucial role in maintaining email security and improving deliverability by verifying the legitimacy of the sending mail server. This article will provide an in-depth understanding of the technical details behind SPF and explain how it operates to secure your email communications.

Overview of SPF

SPF allows domain owners to specify which mail servers are authorized to send emails on their behalf. This information is stored in the domain's DNS records in the form of a TXT record. When an email is sent, the receiving mail server performs an SPF check by querying the sender's DNS records and comparing the IP address of the sending mail server against the authorized list. If the IP address is authorized, the email passes the SPF check and is more likely to be delivered to the recipient's inbox.

The SPF Record Format

An SPF record is a DNS TXT record containing a series of mechanisms and modifiers that define the rules for authorized mail servers. The record starts with a version tag, which is always "v=spf1". Following the version tag, one or more mechanisms describe the allowed sending IP addresses, hostnames, or domains. Some common mechanisms include:

  • a: Matches the domain's A or AAAA records.
  • mx: Matches the domain's MX records.
  • ip4: Specifies an allowed IPv4 address or range.
  • ip6: Specifies an allowed IPv6 address or range.
  • include: Imports rules from another domain's SPF record.

Each mechanism can be prefixed with a qualifier to indicate the desired result if the mechanism matches:

  • +: Pass (default if no qualifier is present)
  • -: Fail
  • ~: SoftFail
  • ?: Neutral

An example of a simple SPF record might look like this:

v=spf1 a mx ip4: include:_spf.sesmonitor.com ~all

This record allows email sending from the domain's A and AAAA records, MX records, any IP address in the specified IPv4 range, and any mail servers authorized by the included domain. The "~all" mechanism means that any other source will result in a SoftFail. Once you've got a good understanding of this you should be able to use this to setup SPF with AWS SES to improve deliverability.

How does an SPF check actually work?

When an email is received, the receiving mail server performs an SPF check using the following steps:

  1. Retrieve the Return-Path (also known as MAIL FROM or Envelope From) of the email, which contains the domain responsible for sending the email.
  2. Query the DNS records for the domain found in the Return-Path to retrieve its SPF record.
  3. Extract the IP address of the sending mail server from the email's SMTP connection.
  4. Evaluate the SPF record mechanisms in sequence, comparing the sending IP address against the authorized list. If a match is found, the evaluation stops, and the corresponding qualifier determines the result.
  5. If no match is found after evaluating all mechanisms, the default result is 'Neutral'.
    The receiving mail server then processes the email based on the SPF check result, which can lead to the email being accepted, marked as spam, or rejected.

What are the limitations of SPF?

While SPF is a valuable email authentication tool, it has certain limitations. For example, it does not protect against header forgery, leaving the email's visible "From" address vulnerable to spoofing. Additionally, SPF checks can be bypassed using email forwarding.

With that being said getting SPF properly setup is always a good idea as it can go a long way to maintaining or even improving your AWS SES reputation which is crucial to prevent any unwanted cutoffs.

To address these limitations, other email authentication protocols such as DKIM (DomainKeys Identified Mail) and DMARC (Domain-based Message Authentication, Reporting & Conformance) should be implemented alongside SPF.

DKIM provides cryptographic signatures to verify the authenticity of an email's content, while DMARC builds on both SPF and DKIM to create a consistent authentication policy across the domain.

DKIM uses public-key cryptography to sign emails, allowing the receiving mail server to verify the email's integrity by checking the signature against the public key stored in the sender's DNS records. This ensures that the email has not been tampered with during transit and confirms the legitimacy of the sender.

DMARC, on the other hand, sets a policy for handling emails that fail either SPF or DKIM checks. It allows domain owners to specify what actions should be taken if an email fails authentication, such as rejecting the email or sending it to the spam folder. DMARC also provides reporting capabilities, enabling domain owners to monitor their email authentication performance and identify potential issues.

AWS SES Resources