Using Sender Policy Framework (SPF) in your organisation
Updated 15 March 2021
© Crown copyright 2021
This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.
Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.
This publication is available at https://www.gov.uk/government/publications/email-security-standards/sender-policy-framework-spf
Sender Policy Framework (SPF) lets you publish a DNS record of all the domains or IP addresses you use to send email. Receiving email services check the record and know to treat email from anywhere else as spam.
You can include more than one sending service in your SPF record. For example, your corporate email service and an email marketing service.
Your SPF record also contains a qualifier option, which lets you:
- tell recipients to ignore your record while you test it
- mark, but not reject, email from an unknown source
How SPF works
An example SPF record looks like this:
v=spf1 include:spf.protection.outlook.com include:servers.mcsv.net ~all
In the example:
-
v=spf1is an SPF record -
include:means email can only come from these sources -
~allconsiders any other email as a soft fail
Further email security guidance
All public sector organisations must follow guidance on how to set up email services securely.
Openspf.org has detailed information on the SPF specification.