Email Spoofing with SPF

What is email spoofing?

Email spoofing is the act of sending an email message with a forged (fake) “from” email address.

Email scammers use a spoofed email address to gain the trust from their victims.

To prevent this, you need to ensure the emails of your company are authentic and original.

How do you protect spammers from abusing your email address?

An SPF record is designed to protect your domain reputation and email delivery.

What is SPF record?

SPF stands for Sender Policy Framework.

It is a record that enables a domain to publicly state which servers may send emails on its behalf.

It is an open standard that enables the owner of a domain to provide a public list of approved senders.

What are the examples?

For example, if you are using Gmail for your daily email and MailChimp for your transactional email, you will need to include both of those mail service providers as approved senders by adding the SPF record.

With this, the receivers can cross-check if the email is originated from a server that you have given permission to send from your validated domain.

If anyone tries to send from a server not from the list you added, it will be treated as a fake or spam email.

What does SPF validate?

SPF validates the originating server by using the Return-Path value.

Return-Path is the email mail server uses to inform the sender if the email cannot reach the receiver due to bounces or any delivery problems.

SPF does not validate against the From domain (which will be shown on your email client). So, even the From address is fake, it can pass the SPF check.

However, even an email fails the SPF check, it may still get deliver to the receiver.

Why should you add SPF record to your domain?

Adding the SPF record increases the chance of delivering your email to your receiver’s inbox.

Having this record provides an extra layer of trust signal for the ISPs to let your email be in your receivers’ inbox.

And, when you combine SPF with DKIM and DMARC, you can improve your inbox delivery rates and prevent abuse from spammers.

How to setup SPF? (Using Google SPF as an example)

To add SPF, you need to add a new TXT record in your domain.

If you are using cPanel, go to Zone Editor → TXT → Add New.

A single domain can have only one TXT record for SPF.

The TXT record for a domain can specify multiple servers and domains that are allowed to send mail for the domain.

TXT record contents

If all email from your organization is sent from G Suite, use this line of text for your TXT record:

v=spf1 include:_spf.google.com ~all

If you send mail in one or more of these ways in addition to G Suite, you must create a custom TXT record for SPF:

  • You send mail from other servers.
  • You use a third-party mail provider.
  • Your website uses a service that generates automatic emails, for example you have a “Contact us” form.

For more information, read up Ensure mail delivery & prevent spoofing (SPF) from Google.