Sender Policy Framework (SPF) is a mechanism that is applied to a domain, is widely adopted, and is very effective at mitigating spoofing of the transit- / SMTP-level 5321.MailFrom (AKA “envelope”) address.



There are a few steps that are critical to doing so successfully.

Step 1 of 5: Discovery of domain names



Any domain name can be used for sending email so anti-spoofing policies should be published for all registered domain names to ensure that only the owners’ trusted systems can do so.



However, IT aren’t always aware of every single domain name that the organisation has registered. For example, a founder may have registered domain names when they started the business but only informed IT of the ones that they want to have a web site, email, etc. For another example, a marketing department may have registered a domain name for an advertising campaign but not informed anyone else.



So, it’s a good idea to double-check with domain name registrar account admins, management, web developers, marketing, etc to ensure that IT have a complete list of domain names to work with.

Step 2 of 5: Discovery of email services



Similar to the discovery of domain names above, IT may not be aware of every single email service that has been setup to send emails as the organisation’s domain names (for example, the web server may send emails for contact forms) so it’s a good idea to double-check with anyone or anything that may be involved to get a full picture of email usage.

You’ll be looking for:

Whether the email service actually sends emails as your domain names. Some simply send emails using their own domain names to avoid these issues. What public IP addresses the email service uses to send emails.



Fortunately, in this case, there are technical systems that can assist with discovery such as a DMARC reporting-only policy which we’ll cover below. Whether any providers offer SPF policies that can be included in yours.

You can find most of this out by checking the headers of emails that have already been sent, checking the provider’s documentation, and asking the provider’s support.



If any email services are configured to forward emails from external senders to external recipients then you may want to reconsider this setup as these scenarios will be fraught with problems but, as a workaround, it’s important to ensure that those email services use the Sender Rewriting Scheme (SRS), if available.

Step 3 of 5: Creating and validating a policy



Now that you’ve identified which domain names are being used for email and which services are doing so, you’ll need to create SPF policies.

The design of an SPF policy can be easy to get wrong - I have personally seen multiple Email Service Providers (ESPs) as large as Outlook.com get them wrong on live email systems. So, it’s helpful to start with a generator such as MxToolBox’s.