SPF Fundamentals
DMARC is the standard for protecting domains against spoofing and phishing, but it doesn’t work on its own. It relies on two building blocks: SPF and DKIM.
In this article, we’ll look at SPF (Sender Policy Framework)—a simple but vital part of DMARC.
What SPF Does
SPF is how you tell the world which servers are allowed to send email for your domain.
When someone receives an email that claims to come from you, their email system checks your SPF record. If the sending server’s IP address is on your approved list, the email passes SPF. If not, it fails.
Think of SPF like a guest list for your domain’s email: only the names you’ve added get in.
Why SPF Matters for DMARC
SPF on its own can stop some spoofing, but the real power comes when it’s used with DMARC.
SPF approves senders → You list the mail servers and services you trust.
DMARC enforces policy → DMARC uses the SPF result (and DKIM) to decide whether to deliver, quarantine, or reject suspicious messages.
Without SPF, DMARC doesn’t have the information it needs to protect your domain.
Example SPF Record
Here’s what an SPF record might look like if you use Microsoft 365 and your own mail server:
v=spf1 ip4:192.0.2.10 include:spf.protection.outlook.com -all
ip4:192.0.2.10 → Approves your company mail server.
include:spf.protection.outlook.com → Approves Microsoft 365 servers.
*-all *→ Anything not listed is not authorised.
That’s it—you’ve told the world exactly who can (and can’t) send your email.
Key Takeaways
SPF is about approving the sending servers for your domain.
It’s one of the two technologies DMARC depends on (alongside DKIM).
Without SPF, DMARC can’t fully protect your domain.
By keeping your SPF record up to date with all your legitimate senders, you’re laying the foundation for strong DMARC protection and improved deliverability.
