How to Configure SPF?

How to Configure SPF?

Sender Policy Framework (SPF) is an email authentication technique used for mitigating cyber threats by helping the user detect email forging and spoofing. Email servers use the Return-Path to get an SPF Record, whenever a user receives an email. A Return-Path is the email address used by recipient email servers to notify the sender of any delivery problems. If an email fails to deliver, the Return-Path is where it will end up. 

The SPF record retrieved by the recipient email server will include a list of approved IP addresses that are permitted to send an email for the sender’s domain. The email server will compare the IP address of the received email to the retrieved list. If it matches, the email passes SPF authentication. If not, the email may very well be fraudulent. 

How does Return-Path Affect SPF Alignment?

The Return-Path is crucial for passing the SPF Alignment test. This test is a part of DMARC, where a message must either pass both DKIM Authentication and Alignment tests or pass both SPF Authentication and Alignment tests for being considered DMARC Compliant. This means that it is essential for the domain included in the Return-Path to match the domain in the “From” address.

How to Achieve SPF Alignment?

Setting a custom Return-Path has many advantages. If a DMARC policy has been implemented for your domain, it is strongly recommended to set up a custom Return-Path for achieving SPF alignment. DMARC confirms that the Return-Path of an email matches the domain in your “From” address. If it doesn’t, that email will fail SPF alignment authentication.

For instance, if your organization sends emails from example.com, you can still pass DKIM and SPF authentication; however, if the “From” and Return-Path addresses don’t use the same domain, SPF won’t pass for DMARC verification. When the Return-Path domain kdmarc.example.com is set up and emails are sent from example.com, your domains are aligned for DMARC to operate. Setting up this custom Return-Path scenario will create the header <kd_marc@kdmarc.example.com>.

 

Relaxed SPF Alignment (aspf=r)

From Domain

Return Path

DMARC Evaluation

example.com

example.com

Pass

example.com

abc.example.com

Pass

example.com

example.kdmarc.com

Fail

 

Strict SPF Alignment (aspf=s)

From Domain

Return Path

DMARC Evaluation

example.com

example.com

Pass

example.com

abc.example.com

Fail

 

For setting up a bounce domain, you will need to establish a CNAME record with a DNS service provider of your choice. Once you get a CNAME record, the custom bounce domain can override the existing Return-Path value of example.com for all the messages sent from your domain. Also, it boosts the overall deliverability of your emails to inboxes.



    • Related Articles

    • How Smart SPF Works?

      KDMARC is an industry-leading cybersecurity tool, designed to monitor three standard email authentication protocols- SPF, DKIM and DMARC, for complementing the Simple Mail Transfer Protocol (SMTP). It offers the Smart SPF feature to monitor and ...

    • SPF Setup for Freshdesk

      SPF helps verify the origin of email messages so that unauthorized senders cannot send messages on behalf of your domain. Freshdesk supports SPF authentication, and it can be configured manually by following the simple steps discussed in this ...

    • What is the difference between SPF results and SPF?

      SPF Stands for Sender Policy Framework, it assists in adding restrictions on your DNS server and defines who can send email from your domain. Besides, SPF plays a vital role in preventing domain spoofing as it doesn’t allow unauthorized sources to ...

    • How to Set Up SPF for ProtonMail?

      ProtonMail highly recommends that you configure SPF for all your registered domains to make sure your outbound emails are effectively authenticated.   How to Create an SPF Record for ProtonMail? In order to generate your SPF record on ProtonMail, log ...

    • How to Setup SPF for Constant Contact?

      If you want to allow constant contact to send emails on behalf of your domain, you need to set up SPF and modify the records to include constant contact. Otherwise, your emails sent using the application will not be DMARC compliant and will fail ...