Sender Policy Framework (SPF) is a standard that allows the owner of an Internet domain name to tell the world which servers will be sending email from inside that domain.

By learning which servers are authorized to send email for a domain, recipients can assume that any email declaring to be from that domain, but coming from other servers, is possibly or certainly forged (spam or phishing).

Using a text record associated to the domain name and published in the DNS, the domain owner specifies a string that contains a list of instructions. Each instruction identifies one or more servers, through one of various mechanisms, and tells whether those servers are allowed or disallowed to send legitimate email for that domain name. For example, the “mx” mechanism identifies all mail servers (MX hosts) for that domain name, while “ip4:” identifies a single IP address.

The mechanism without any prefix, or with a plus sign, implies that those servers are allowed to send mail, but by putting a minus sign in front of it you disallow those servers; for example, “-ip4:” states that the IP address is explicitly forbidden from sending legitimate mail. You may specify a weaker rejection with the “~” qualifier, implying that the mail is possibly illegitimate but you cannot be entirely sure, so the recipient should accept it but flag it as likely to be spam.

At the end of the string, you may use the mechanism “all” to specify a directive regarding the rest of the Internet; “-all” suggests recipients to reject all messages not coming from the listed servers. Often, however, domain name owners are not really sure that their list of authorized email servers is complete, so they go for the weaker “~all” statement.

SPF does not perform this check on the domain of the sender’s email address shown in the From: header, but on that of the envelope sender – the user at the originating server, usually stored in the Return-Path: header. While the two domains are usually the same, this however means that SPF does not provide any guarantee on the autenticity of the sender’s email address, but only on the fact that the originating server is authorized by the owner of the domain name used in the “MAIL FROM” SMTP command. DMARC is an additional email protection standard that, among other things, considers the sender’s email address as well.

Also, SPF does not guarantee that the message was not intercepted or modified during transport. DKIM is a complementary standard dealing with message tampering, though it does not prevent interception either.

On the SPF website you can find a broader introduction and a full description of all available mechanisms.