Sender Policy Framework

SPF is simply a validation system in the form of a DNS record that identifies on whose behalf an IP or domain sends email. These are designed to reduce and in most cases prevent email spam by verifying sender IP addresses. This also allows administrators to specify which hosts are allowed to send email from a given domain by generating a designated SPF (text) record in the Domain Name System or DNS.

When an SMTP (Simple Mail Transfer Protocol – i.e. text message) is generated it permits any computer to send the message masking its source with a trusted source address. As you can probably guess, this allows spammers to exploit this vulnerability by using a forged email address and make the source more difficult to trace which allows the spammers to remain anonymous. Many believe that the ability for anyone to forge sender addresses is a security flaw in modern SMTP systems.

Use of TXT records for SPF was intended as a transitional mechanism. However, according to the current RFC, RFC 4408, section 3.1.1, “An SPF-compliant domain name SHOULD have SPF records of both RR types. A compliant domain name MUST have a record of at least one type,” and as such, TXT record use is not deprecated. Spammers can send email with an SPF PASS result if they have an account in a domain with a sender policy, or abuse a compromised system in this domain. However, doing so makes the spammer easier to trace.