Sender Policy Framework (SPF): How It Stops Email Spoofing

The Rise of Email Spoofing and the Need for SPF

Email remains the most abused communication channel for cyberattacks. Threat actors regularly spoof trusted domains to trick recipients into clicking malicious links, opening attachments, or wiring money to fraudulent accounts.

While no single solution can stop all phishing attempts, Sender Policy Framework (SPF) is a foundational email authentication protocol. It helps prevent attackers from sending spoofed messages using your domain—and protects customers, partners, and internal users from impersonation. With email as a leading vector for cyberattacks, SPF plays a crucial role in preventing impersonation of domains.

Phishing currently makes up 15% of breaches overall, according to the 2025 Verizon Data Breach Investigations Report, to which SecurityScorecard was a contributing partner.

What Is SPF?

Sender Policy Framework (SPF) is a Domain Name System (DNS)–based protocol that identifies which mail servers are authorized to send email on behalf of your domain.

When a recipient mail server receives a message, it performs three steps:

1. Extracts the domain from the email’s return-path header
2. Queries the DNS record for that domain’s SPF entry
3. Compares the sending server’s IP address against the list of approved senders

If the IP address isn’t on the list, the server can reject or quarantine the message.

Why SPF Matters

SPF can reduce domain spoofing and lower phishing success rates. It can also help:

• Protect brand reputation
• Reduce email deliverability issues
• Flag unauthorized email sources during forensic analysis

While SPF doesn’t prevent all forms of impersonation, it can provide a critical signal for validating senders, especially when paired with DKIM (DomainKeys Identified Mail) and DMARC (Domain-based Message Authentication, Reporting, and Conformance).

Anatomy of an SPF Record

An SPF record is a type of DNS TXT record. SPF records can include:

• Specific approved IP addresses
• References for third-party providers
• Hostnames from DNS A or MX records

Common SPF Misconfigurations

Incorrect SPF records can weaken protection or cause legitimate emails to be blocked. Common issues include:

• Too many DNS lookups: SPF allows only 10 lookups per evaluation (which can help thwart Denial-of-Service attacks)
• Missing “includes” tags: Often occurs when services, such as Salesforce or Mailchimp, are left out
• Soft fails (~all) instead of hard fails (-all): Allows spoofed emails to slip through
• Multiple SPF records per domain: Only one SPF record is allowed per domain.

SecurityScorecard’s platform routinely identifies these misconfigurations during external scans. SPF issues often correlate with low DNS health scores.

SPF and Third-Party Email Senders

If your vendors send emails on your behalf—for marketing, invoicing, or CRM purposes, for instance—you must:

• Add their sending servers to your SPF record
• Validate that their mail systems are secure
• Reassess your SPF record periodically

How SPF Works With DKIM and DMARC

SPF is one layer of a complete email authentication strategy. To fully enforce sender validation, combine SPF with:

• DomainKeys Identified Mail (DKIM): Verifies the integrity of a message by using a digital signature
• Domain-based Message Authentication, Reporting, and Conformance (DMARC): Aligns SPF and DKIM results with visible headers and enforces policy

SPF only checks the envelope sender (return-path), not the “From” field that users see. Without DMARC, a spoofed “From” field can still bypass filters.

Best Practices for SPF Implementation

To improve your email security posture, follow these recommendations:

• Use -all to reject unauthorized senders: Avoid soft fails that let phishing emails slip through
• Keep SPF records concise: Avoid exceeding the 10-lookup limit
• Test SPF records using tools like MXToolbox or SPF Record Checker
• Update SPF records when onboarding or offboarding third-party services
• Monitor SPF alignment with DMARC reports to identify misconfigured senders

SPF Limitations

SPF helps validate sending infrastructure but has known gaps:

• It doesn’t verify the “From” field
• It can’t protect against man-in-the-middle attacks or message tampering
• It doesn’t enforce sender alignment without DMARC

Despite these limitations, SPF remains a low-effort, high-impact way to reduce spoofing risk.

Final Thoughts

SPF isn’t a silver bullet, but it is essential for organizations looking to project and protect a brand. Without it, anyone can spoof your domain and impersonate your brand. And while SPF doesn’t prevent every type of phishing, it signals to receiving servers which sources are trustworthy.

Organizations that ignore SPF leave a gap in their email defenses—one that attackers can easily exploit. Those that configure it correctly take an important step toward securing communications across their domain and vendor landscape.

Protect Your Supply Chain with Real-Time Threat Detection

SecurityScorecard’s SCDR solution offers continuous monitoring of your third-party ecosystem, enabling swift identification and mitigation of cyber threats. Enhance your organization’s resilience by proactively managing supply chain risks.

🔗 Understand SCDR