Understanding SPF: A Guide to Email Authentication

As email continues to be one of the most commonly used pathways of communication for businesses, it’s important to understand the components of an effective email. One of the fundamental components of a trustworthy and secure email is the use of Sender Policy Framework (SPF) authentication.

SPF is a simple email validation system allowing domain users to specify which servers are granted access to send email via the domain. This SPF validation prevents spammers from sending emails which appear to come from your domain. The prevention of invalidated emails from being sent keeps your email domain safe from being marked as a spam domain. 

The standard SPF record recommended by Google is:

v=spf1 include:_spf.google.com ~all

This SPF record is broken down as follows:

V=spf1

This indicates the version of SPF to use. Only spf1 currently exists.

include:_spf.google.com

SPF record inherits all of Google’s IP addresses and passes all email sent from those IPs.

~all

SoftFail all messages sent from other Ips.

In the event you send emails from a different server, application, scanner etc., then you also must:

Include the IP of that other sending mechanism in the SPF. That is if the Ip of the sending mechanism is 7.7.7.7, then update the SPF as follows:

v=spf1 ip4:7.7.7.7 include:_spf.google.com ~all

Make sure you are also adding the sending IP to the EMail Allowlist in the Google Admin Console.

What is Spam?

Spam is the term commonly used for mass unsolicited emails. These spam emails are typically used by businesses for commercial purposes. With the cost of emails being incredibly low, some illegitimate businesses send out spam emails either manually or using botnets.

Spam Factors

Authentication Reputation:

• Is SPF, DKIM, or DMARC added?
• Are all of the sending IPs on the SPF?

Domain Reputation:

• Has this domain been flagged as a spammer?
• Have you checked if the site appears on the Safe Browsing Transparency Report?

User Reputation:

• Has this user been sending mass spam messages?
• Has this user marked messages as spam?

Environment Setup:

• How is Authentication denied for the environment?

Message Content and Format:

• Does the content have multiple links?
• Is the content RFC 5322-compiant?
• Does the content follow the recommendation of the bulk sender guidelines?

How Users Control Spam 

False Negative 

False negative messages are incorrectly classified as “Not Spam”.

In cases of false negatives, the users can click on “report spam” so that their inbox can recognize messages such as this should be considered spam in the future.

False Positive

False positive messages are incorrectly classified as “Spam”.

In cases of false positive messages, users can mark the message as “Not spam” so their inbox can recognize messages such as this are not spam in the future.

Sending Messages

When users are sending legitimate emails, especially in large volume such as marketing emails, it is recommended to follow common anti-spam recommendations such as in RFC 2505.

How Admins Control Spam

Google allowlist

Google Workspace gives Gmail Administrators several ways to manage incoming email received by their organization. Gmail Administrators can block specific senders using a denylist as well as bypass spam filters with an allowlist or a specific approved senders list.

Inbound Gateway

An inbound gateway is designed to skip all the IPs added to the setting and running the authentication checks on the first detected public IP (this should be the real sending IP). This gives accurate authentication results and will eliminate the possibility of google suspecting an email attack.

Inbound Gateway influences the behavior of reputation checks and SPF checks.

The Bottom Line

Email is a simple and commonly used communication method on the surface, however as you can see there are many factors in creating an effective email. Hopefully this article has assisted you with your understanding of SPF and how it applies to email.