Businessman showing colleague data on computer

5 things you should know about Sender Policy Framework

Cybersecurity is a complex topic. If you’re serious about protecting your company (you should be), then there’s a lot to learn about. That’s why we’re happy to share our expertise. The more everyone knows about stopping cybercriminals, the more it helps everyone.

In this article, we’re going to dive into the topic of Sender Policy Framework (SPF). But before we do, yes, some of this is technical but no, we aren’t going to lean into that too much.

Instead, we’re going to provide a clear, plain-English explanation of what Sender Policy Framework is, what kind of cyberattacks it stops, why you want it, and even how to set it up.

We’ll also include some more technical information if you would like to know it, but it will be clearly marked and you can skip over it if you just want a summary of the practical info.

1. What is SPF?

Sender Policy Framework is a form of email protection.

When someone sends an email, there’s all kinds of information about the sender included. You generally only see their name and email address, but there’s more information in the background. SPF checks the information in the background in an effort to determine if the email is really from the person it appears to be from.

Tech specs: SPF verifies that the originating IP address of an email matches one of the authorized IT addresses associated with the alleged sender’s domain. It accomplishes this by referencing the DNS records for the domain.

2. What cyberthreats does SPF stop?

SPF plays a very specific but very critical role in your overall cybersecurity. It won’t detect a virus or stop malware—at least, not directly. That’s because the goal of SPF is even more basic—it’s trying to spot attacks before anything has even happened.

Specifically, email attacks.

When SPF is implemented correctly, it will flag and reject messages that appear to be forgeries. Forged emails are pretty much the name of the game when it comes to spoofing and phishing attacks.

Tech specs: If a sender has an account on an approved domain or has gained access to an approved domain, they can send email messages that will be accepted by SPF, making SPF less than 100% effective.

3. So, what are spoofing and phishing attacks?

Spoofing and phishing are two very similar forms of cyberattack—so much so that the two terms are frequently used interchangeably. It can get confusing.

Instead of delving too deep into that debate, we’re just going to provide you with a standard definition of each so you know what someone is talking about when they reference either.


Spoofing can happen in a variety of ways. Email is a common spoofing delivery method.

A spoofing attack is when someone uses a false identity to gain your trust with the intention of taking something from you or getting you to download something harmful.


Phishing attacks get more press coverage than spoofing, and they come in several specific forms depending on the target and exact strategy of the cybercriminal.

A phishing attack is when a cybercriminal represents themselves as someone you already trust in an effort to get you to freely give them personal information, like an account password.

What’s the difference?

Some would argue the difference between the two is this: spoofing is an attempt to get you to do something (like download malware) and phishing is an attempt to get you to give something (like the password to your company’s bank account).

In practical terms, it’s just splitting hairs. In either case, someone pretends to be someone they’re not to trick you via email.

How SPF helps

SPF helps by stopping attempted spoofing and phishing emails before they even hit your inbox. You and your employees can’t be tricked into compromising your data security if the false email never even makes it to you.

4. Is SPF all you need to stop spoofing and phishing?

In a word, no.

SPF is effective and necessary. It will stop a lot of attempted cyberattacks. But it’s not foolproof.

If you really want to protect your business from spoofing and phishing attacks, you need solid employee training to make sure everyone knows what information is okay to give out via email and what information should never be included in an email.

Tech specs: Due in part to the fact that SPF is an older technology, 78% of companies use it correctly, making it one of the more successfully implemented email cybersecurity measures.

5. How do you set up SPF?

If you don’t already have SPF set up on your email server, you need to address that. This is a basic, long-standing layer of cybersecurity you cannot overlook.

Here’s how to add it.