Skip to main content
All CollectionsExternal Monitoring (Beta)Email Security
Are SPF records protecting the email domain?
Are SPF records protecting the email domain?

SPF works like a security guard for your email domain. It tells receiving servers which email systems are allowed to send mail using your domain name.

Dan McKenzie avatar
Written by Dan McKenzie
Updated this week

What is SPF?

SPF (Sender Policy Framework) is a security feature that specifies which mail servers can send emails from a domain. It works like a guest list, telling receiving servers which senders are authorized and which are not.

Why It Matters

Without proper SPF protection, your domain faces several risks:

  • Prevents attackers from sending emails that impersonate the domain

  • Helps legitimate emails reach their destination without being marked as spam

  • Protects domain reputation and email deliverability

  • Reduces the risk of phishing attacks targeting customers and partners

Security Checks

We check for these common SPF issues:

Is an SPF record present for the domain?

A Sender Policy Framework (SPF) record tells email servers which systems are allowed to send email from the domain. Without an SPF record, any server can impersonate the domain by sending unauthorized emails.

Is the SPF record allowing all servers to send email?

The domain's SPF record contains "+all" or "?all", which permits any server to send email as the domain. This removes all protection against email spoofing.

Is the SPF record formatted correctly?

The SPF record contains syntax errors that prevent email servers from properly validating senders. This can cause legitimate emails to fail or allow unauthorized senders.

Is the SPF policy set to neutral?

The domain uses a neutral SPF policy ("?all"), which only monitors unauthorized senders without blocking them. This provides minimal protection against email spoofing.

Are there multiple SPF records?

The domain has more than one SPF record. Email servers can only process one record, making email validation unpredictable and potentially blocking legitimate messages.

Is the SPF record using PTR lookups?

The SPF record relies on PTR records for validation. This method is unreliable and can be manipulated by attackers to bypass email authentication.

Does the SPF record require too many DNS lookups?

The SPF record needs more than 10 DNS lookups to validate senders. This exceeds the standard limit and may cause email validation to fail.

Are all included SPF records valid?

The SPF record references other domains' SPF records that don't exist. This creates security gaps and may cause email validation errors.

Are there mechanisms after the "all" directive?

The SPF record contains rules that appear after the "all" directive. These rules will never be checked, creating potential security gaps.

Is the SPF record using current syntax?

The domain uses an outdated SPF record type. While still functional, this may cause compatibility issues with some email systems.

Is the SPF policy set to hard fail?

The domain uses a strict rejection policy ("-all") for unauthorized senders. While secure, this may block legitimate emails if the SPF record is not carefully maintained.

Industry Standards

SPF is recommended by:

  • ISO 27001 (Email Security Controls)

  • NIST SP 800-177 (Email Security Guidelines)

  • UK NCSC Email Security Guidelines

Learn More

Related Articles
Is DKIM protecting the domain's emails from tampering?
Is DMARC enforcing the domain's email security policies?
Is the Content Security Policy (CSP) protecting the domain from malicious code?
Is TLS configured securely on the domain?
Are HTTP security headers protecting the domain?
Did this answer your question?