SPF (Sender Policy Framework)

Complete Guide to Email Authentication - Preventing Email Spoofing and Ensuring Deliverability

Why SPF Matters: Preventing Email Spoofing

SPF is the first line of defense against email spoofing. Without SPF, anyone can send emails claiming to be from your domain, leading to phishing attacks, reputation damage, and email delivery failures.

For government agencies, SPF is critical because spoofed emails can be used to steal credentials, intercept payments, and impersonate officials. The "-all" mechanism is critical—it means "reject all emails from servers not listed," providing strict protection.

What is SPF?

SPF (Sender Policy Framework) is a DNS record that specifies which mail servers are authorized to send email on behalf of your domain. It works by publishing a list of authorized sending servers in DNS, allowing receiving mail servers to verify that incoming emails actually came from authorized servers.

Think of SPF as a "whitelist" of authorized mail servers. When someone receives an email claiming to be from your domain, their mail server checks the SPF record to see if the sending server is on the list. If the server isn't authorized, the email can be rejected or marked as spam.

How SPF Works

Here's how SPF verification works when an email is received:

  1. Email Received: A mail server receives an email claiming to be from your domain
  2. SPF Record Lookup: The receiving server looks up your domain's SPF record in DNS
  3. IP Address Check: The receiving server checks if the sending server's IP address is in the SPF record
  4. Verification Result: The receiving server determines if the email is authorized:
    • Pass: Sending server is authorized (email accepted)
    • Fail: Sending server is not authorized (email rejected or marked as spam)
    • Soft Fail: Sending server is likely not authorized (email accepted but marked suspicious)
    • Neutral: SPF record doesn't specify (email accepted)

This process happens automatically for every email received, providing protection against spoofing without requiring any action from end users.

SPF Record Format

SPF records are TXT records in DNS that start with "v=spf1". Here's the basic format: 

v=spf1 [mechanisms] [qualifiers]

The record contains mechanisms that specify authorized servers and qualifiers that specify what to do with emails that don't match.

SPF Mechanisms

SPF mechanisms specify which servers are authorized to send email:

  • all: Always matches (used at the end with a qualifier)
  • ip4: Specifies an IPv4 address or range (e.g., ip4:192.0.2.1 or ip4:192.0.2.0/24)
  • ip6: Specifies an IPv6 address or range (e.g., ip6:2001:db8::1)
  • a: Authorizes servers specified in the domain's A record
  • mx: Authorizes servers specified in the domain's MX records
  • include: Authorizes servers specified in another domain's SPF record (e.g., include:_spf.google.com)
  • exists: Authorizes if a DNS record exists (advanced use)
  • redirect: Redirects to another domain's SPF record (replaces current record)

SPF Qualifiers

SPF qualifiers specify what to do with emails that match (or don't match) mechanisms:

  • + (plus): Pass (default) - email is authorized
  • - (minus): Fail - email is NOT authorized, reject it
  • ~ (tilde): Soft Fail - email is likely NOT authorized, accept but mark as suspicious
  • ? (question): Neutral - SPF doesn't specify, accept email

Critical: The "-all" mechanism at the end of your SPF record means "reject all emails from servers not explicitly listed." This provides strict protection. Without "-all" (or with "~all" or "?all"), attackers can still send spoofed emails.

Example SPF Records

Here are examples of SPF records:

Basic SPF Record (Single Server)

v=spf1 ip4:192.0.2.1 -all

This authorizes only one IP address (192.0.2.1) and rejects all others.

SPF Record with Multiple Servers

v=spf1 ip4:192.0.2.1 ip4:192.0.2.2 mx -all

This authorizes two specific IP addresses and all servers in MX records.

SPF Record with Third-Party Email Service

v=spf1 include:_spf.google.com include:_spf.example.com -all

This authorizes servers specified in Google's and another service's SPF records.

Weak SPF Record (NOT Recommended)

v=spf1 ip4:192.0.2.1 ~all

WARNING: This uses "~all" (soft fail) instead of "-all" (fail). This provides weak protection—emails from unauthorized servers are accepted but marked as suspicious.

No Protection (NOT Recommended)

v=spf1 ip4:192.0.2.1 ?all

WARNING: This uses "?all" (neutral). This provides NO protection—emails from unauthorized servers are accepted without any indication they're suspicious.

Why SPF is Critical for Government Agencies

For government agencies, SPF is not just recommended—it's critical for email security. Here's why:

1. Prevents Email Spoofing

Without SPF, anyone can send emails claiming to be from your domain. Attackers can:

  • Send phishing emails that appear to come from your agency
  • Impersonate government officials
  • Steal credentials or sensitive information
  • Intercept payment instructions or invoices
  • Damage your agency's reputation

Real-world impact: In December 2025, Smithville, Tennessee lost $425,000 when attackers spoofed a vendor's email address and tricked city officials into wiring payment to a fraudulent account. Proper SPF configuration with "-all" would have prevented this attack.

2. Ensures Email Deliverability

Mail servers increasingly require SPF records for email deliverability. Emails from domains without SPF records are more likely to be:

  • Rejected as spam
  • Marked as suspicious
  • Filtered into spam folders
  • Blocked entirely

3. Required for Complete Email Security

SPF is the first layer of email authentication. It works with DKIM and DMARC to provide complete email security. Without SPF, you cannot achieve complete email authentication and protection.

4. Required for CISA Compliance

The Cybersecurity and Infrastructure Security Agency (CISA) mandates SPF, DKIM, and DMARC for all government email domains. Failure to implement SPF results in non-compliance, which can lead to:

  • Criminal charges for negligence
  • Civil liability from email attacks
  • Federal grant restrictions
  • Insurance claim denials

Why "-all" is Critical

The "-all" mechanism at the end of your SPF record is critical because it means "reject all emails from servers not explicitly listed." This provides strict protection against spoofing.

Without "-all" (or with "~all" or "?all"), your SPF record provides weak or no protection:

  • "~all" (soft fail): Emails from unauthorized servers are accepted but marked as suspicious. This is weak protection—attackers can still send spoofed emails.
  • "?all" (neutral): Emails from unauthorized servers are accepted without any indication they're suspicious. This provides NO protection—anyone can send spoofed emails.
  • "-all" (fail): Emails from unauthorized servers are rejected or marked as spam. This provides STRICT protection—only authorized servers can send email.

For government agencies, "-all" is mandatory. Soft fail or neutral provides insufficient protection for sensitive government communications.

What Can Go Wrong Without SPF?

The consequences of operating without SPF or with improper SPF configuration are severe:

Email Spoofing

Attackers can send emails claiming to be from your domain, leading to:

  • Phishing attacks targeting citizens or employees
  • Credential theft through fake login pages
  • Payment interception through fake invoices
  • Impersonation of government officials
  • Reputation damage and loss of public trust

Email Delivery Failures

Emails from domains without SPF records are increasingly rejected or marked as spam by mail servers. This can cause:

  • Important emails not reaching recipients
  • Delayed or lost communications
  • Reduced email deliverability rates
  • Loss of citizen trust

Liability and Legal Consequences

Without SPF, you cannot prove that spoofed emails weren't authorized. This exposes your agency to:

  • Civil lawsuits from affected citizens
  • Criminal charges for failure to implement required security measures
  • Insurance claim denials
  • Loss of federal funding

How to Implement SPF

Implementing SPF requires identifying all authorized mail servers and creating an SPF record:

Step 1: Identify Authorized Mail Servers

You need to identify all servers that send email on behalf of your domain:

  • Your organization's mail servers (IP addresses)
  • Third-party email services (Google Workspace, Microsoft 365, etc.)
  • Email marketing services
  • Any other services that send email from your domain

Step 2: Create SPF Record

Create an SPF record that authorizes all identified servers. Use "include:" for third-party services and "ip4:" or "ip6:" for your own servers. Always end with "-all" for strict protection.

Step 3: Publish SPF Record in DNS

Publish the SPF record as a TXT record in your domain's DNS. The record must:

  • Start with "v=spf1"
  • Be a single TXT record (if the record is too long, it may need to be split, but this is not recommended)
  • End with "-all" for strict protection
  • Not exceed DNS record size limits (typically 255 characters per string, but modern DNS supports longer records)

Step 4: Test SPF Configuration

Test your SPF configuration using:

  • SPF validation tools (online SPF checkers)
  • Email authentication testing services
  • Your domain checker (YesGov's domain checker verifies SPF status)

Step 5: Monitor and Update

SPF records must be updated when:

  • Adding new mail servers
  • Changing email service providers
  • Adding new services that send email

Regular monitoring ensures your SPF record remains accurate and up-to-date.

Common SPF Implementation Issues

Several common issues can cause SPF problems:

1. Missing "-all" Mechanism

SPF records without "-all" (or with "~all" or "?all") provide weak or no protection.

Solution: Always end SPF records with "-all" for strict protection.

2. Incomplete List of Authorized Servers

Missing authorized servers in SPF records causes legitimate emails to be rejected.

Solution: Ensure all mail servers and services are included in your SPF record.

3. Including Unauthorized Servers

Including servers that shouldn't send email (or using overly broad mechanisms like "a" or "mx" when not appropriate) weakens protection.

Solution: Only authorize servers that actually send email from your domain.

4. Record Too Long

SPF records that exceed DNS size limits may not work correctly.

Solution: Use "include:" mechanisms for third-party services instead of listing all their IPs.

5. Not Updated When Servers Change

Outdated SPF records can cause legitimate emails to be rejected or allow unauthorized servers to send email.

Solution: Keep SPF records updated whenever mail servers or services change.

SPF and DMARC Integration

SPF works with DMARC (Domain-based Message Authentication, Reporting & Conformance) to provide complete email authentication. DMARC uses SPF (and DKIM) results to determine email handling policy.

Important: SPF alone is not enough. You need both SPF and DKIM, plus DMARC to enforce policies and provide reporting. SPF without DMARC provides some protection but doesn't allow you to control what happens to spoofed emails or provide visibility into authentication failures.

How YesGov Ensures SPF is Properly Configured

YesGov handles all aspects of SPF implementation and management for government agencies:

  • Complete Setup: We identify all authorized mail servers and create comprehensive SPF records
  • Strict Protection: We always use "-all" for strict protection against spoofing
  • Third-Party Integration: We properly integrate third-party email services using "include:" mechanisms
  • DNS Configuration: We publish SPF records in DNS with proper formatting
  • Testing and Validation: We test SPF configuration to ensure it works correctly
  • Ongoing Management: We update SPF records when mail servers or services change
  • Documentation: All SPF configuration and status is documented for compliance and insurance purposes
  • Integration: We ensure SPF works with DKIM and DMARC for complete email security

How YesGov Ensures Complete SPF Protection

At YesGov, we don't just check if SPF is configured—we perform comprehensive validation of your entire SPF setup:

  • Record Validation: We verify SPF record syntax and ensure it's properly formatted
  • Strict Policy Enforcement: We ensure "-all" mechanism is used for maximum protection
  • Server Authorization: We verify all authorized mail servers are correctly listed
  • Third-Party Integration: We properly configure "include:" mechanisms for third-party services
  • DNS Propagation: We verify SPF records are properly published and accessible
  • Testing and Validation: We test SPF from multiple mail servers to ensure proper enforcement
  • Ongoing Monitoring: We continuously monitor SPF status and alert on any issues

When you host with YesGov, SPF is properly configured with strict "-all" enforcement, continuously monitored, and automatically maintained. We handle record updates, third-party integrations, and validation testing so you don't have to worry about email spoofing. This is one of our comprehensive security checks that ensures your agency meets and exceeds federal, state, and industry standards.

Get Protected Today Check Your SPF
← Certificate Validation & CAA (Certificate Authority Authorization) DKIM (DomainKeys Identified Mail) →

Learning Guides

Compound Risks: When Security Failures Combine

How multiple security failures combine to create worse outcomes. Learn about compound risks in government cybersecurity: email impersonation, DNS hijacking, silent interception, and more.

DNSSEC (Domain Name System Security Extensions)

DNSSEC (DNS Security Extensions): Complete guide to protecting your domain from DNS spoofing, cache poisoning, and man-in-the-middle attacks. Learn how DNSSEC works, why it

SSL/TLS Certificate

SSL/TLS Certificate Guide: Complete guide to encrypting data in transit, protecting against man-in-the-middle attacks, and meeting CISA compliance requirements for government websites.

HTTPS Redirect & HSTS (HTTP Strict Transport Security)

HTTPS Redirect & HSTS: Complete guide to enforcing encrypted connections, preventing downgrade attacks, and meeting CISA requirements for government websites.

TLS Configuration (Versions, Ciphers, Hardening)

TLS Configuration: Complete guide to secure TLS versions, cipher suites, and hardening for government websites.

Certificate Validation & CAA (Certificate Authority Authorization)

Certificate Validation & CAA: Complete guide to SSL/TLS certificate validation, trust chains, and Certificate Authority Authorization (CAA) records.

SPF (Sender Policy Framework)

SPF (Sender Policy Framework): Complete guide to preventing email spoofing, ensuring email deliverability, and meeting CISA compliance requirements for government email security.

DKIM (DomainKeys Identified Mail)

DKIM (DomainKeys Identified Mail): Complete guide to cryptographically signing emails, verifying email authenticity, and preventing phishing attacks for government email security.

DMARC (Domain-based Message Authentication, Reporting & Conformance)

DMARC (Domain-based Message Authentication): Complete guide to enforcing email authentication policies, preventing email spoofing, and meeting CISA compliance requirements.

MTA-STS (Mail Transfer Agent Strict Transport Security)

MTA-STS (Mail Transfer Agent Strict Transport Security): Complete guide to enforcing secure TLS connections for email transmission, preventing man-in-the-middle attacks.

TLS-RPT (TLS Reporting)

TLS-RPT (TLS Reporting): Complete guide to monitoring TLS connection failures for email transmission, identifying misconfigurations, and ensuring email security.

HTTP Security Headers & security.txt

HTTP Security Headers: Complete guide to X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and security.txt for protecting against web vulnerabilities.

IPv6 Support (DNS + Web Reachability)

IPv6 Support: Complete guide to IPv6 DNS and web reachability, ensuring accessibility for IPv6-only networks and future-proofing government infrastructure.

RPKI (Resource Public Key Infrastructure)

RPKI (Resource Public Key Infrastructure): Complete guide to BGP route security, preventing route hijacking, and protecting IP address space.

IP Reputation, RBLs & PTR Records

IP Reputation & RBL Checks: Complete guide to monitoring IP addresses on abuse databases, blacklists, and proper reverse DNS (PTR) configuration.

Website Scanning

Website Scanning: Complete guide to detecting exposed email addresses, broken links, and other website hygiene issues that pose security or compliance risks.

WordPress Detection

WordPress Detection & Security: Complete guide to detecting WordPress versions, identifying security vulnerabilities, and patching basics for government websites.

HSTS (HTTP Strict Transport Security)

HSTS (HTTP Strict Transport Security): Complete guide to forcing HTTPS connections, preventing downgrade attacks, and meeting CISA compliance requirements.