Sender Policy Framework (SPF) prevents domain spoofing and phishing by verifying the authenticity of the email sender, a critical defence as cybercriminals increasingly target British businesses. By allowing domain owners to specify exactly which mail servers are permitted to send email on their behalf, SPF checks the connecting IP address against a published DNS record. When implemented correctly, this standard dramatically reduces the risk of malicious actors impersonating your domain in the SMTP MAIL FROM field, thwarting direct spoofing attempts and improving email deliverability by minimising false positives.
How SPF protects UK organisations
Email remains the primary attack vector for cybercriminals targeting British companies, with small and medium-sized enterprises in London particularly vulnerable due to less sophisticated security infrastructure. The National Cyber Security Centre (NCSC) has long emphasised the importance of email authentication protocols including SPF, DKIM and DMARC as a minimum for securing government communications. The scale of the threat is stark: in the last 12 months, 79% of UK businesses reported experiencing a phishing attack, a notable increase from previous years. Business Email Compromise (BEC) attacks, which rely on spoofed or compromised accounts to impersonate trusted executives or suppliers, have caused significant financial damage. Attackers are now deploying AI-powered phishing and vishing scams, abusing legitimate platforms such as QuickBooks, Zoom and SharePoint to bypass standard security filters — with these emails passing DMARC authentication 100% of the time.
SPF proves particularly effective at blocking the direct impersonation of a domain in the envelope sender. Regular compliance checks using an SPF checker serve as a diagnostic tool to verify that authorised IP addresses and senders are accurately listed in DNS, helping to safeguard domain reputation and mitigate phishing across providers.
Where SPF falls short
Despite its strengths, SPF has critical limitations that mean it cannot be relied upon alone. It does not verify the From header displayed to recipients; instead, it checks only the envelope sender and the connecting server. If the domain in the From header differs from the one analysed by SPF, the email can pass authentication even when the brand appears forged. SPF also provides no guarantee of message integrity — that function belongs to DKIM.
To defend against advanced email threats, SPF must be combined with DKIM (DomainKeys Identified Mail) and DMARC (Domain-based Message Authentication, Reporting & Conformance). DMARC ensures that either SPF or DKIM aligns with the visible From domain, enforcing policies and reporting authentication failures back to the domain owner. Relying solely on SPF also does not guarantee inbox placement; effective content strategies, reliable infrastructure and continuous monitoring remain essential.
A major technical constraint is the 10 DNS lookup limit for SPF records. Each use of include, a, mx and exists can generate additional queries, and exceeding this cap results in a permanent failure (permerror). In the UK, 4.8% of SPF-enabled domains risk this error. Additionally, multiple TXT records containing v=spf1 cause validation issues, as receivers only examine one. An ambiguous ?all or a permanent ~all weakens domain security and invites misuse. Syntax errors — such as writing ip4 without a value — can also lead to SPF failures.
The anatomy of an SPF record
An SPF record is a DNS TXT entry published at the primary domain (e.g., example.com) or a mail subdomain. The standard format begins with v=spf1, followed by mechanisms that specify permitted sending sources:
ip4 and ip6 designate approved IP addresses or CIDR ranges. a validates the A/AAAA record of the domain being evaluated. mx authorises mail servers identified by the domain’s MX record. include incorporates the SPF policy of another domain, commonly used by SaaS providers. exists grants authorisation via a DNS existence check. Modifiers such as redirect= and exp= may also appear.
Qualifiers determine the action taken: + (pass) is the default; ~ (softfail) marks non-matching emails as questionable, useful during testing; - (fail) enforces strict denial; ? (neutral) indicates no policy preference. Experts recommend starting with ~all and transitioning to -all only after confirming compliance. Keeping mechanisms narrow reduces security risks and prevents lookup violations.
Using an SPF record checker
An SPF checker queries the DNS provider for the TXT record, simulates an SPF check from the recipient’s perspective, runs diagnostic tests against test IPs, and assesses security risks. For validation, look for a “pass” result on syntax and ensure total DNS lookups remain below ten. Tools such as MXToolBox (with SuperTool) and EasyDMARC (with EasySPF, Delivery Center and Touchpoint) are widely used; community-reviewed platforms on Expert Insights, G2 Crowd and SourceForge also feature prominently. Some vendors offer MSP, Reseller and Wholesale Program options, and have received accolades such as the Channel Program Award.
Warnings from a validator may highlight multiple records, redundant lookups or duplicate mechanisms, indicating maintenance is required. When expanding lookups, verify that authorised IP addresses match legitimate senders. Beware of errors like typographical mistakes, invalid CIDR notations or missing includes. Useful features include Reputation Monitoring, an Alert Manager for changes, Email Header Analyzers, Inbox Placement Tests, Email Verification tools and Email Health dashboards. The NCSC is retiring its free Mail Check service on March 31, 2026, which will necessitate a transition to commercial tools for many organisations, particularly those in the retail sector already leading in DMARC adoption.
A typical workflow involves using an SPF record generator to create policy options, a validator to perform pre-deployment checks, and a final live test. It is advisable to re-run a checker after any changes.
Troubleshooting and the need for a layered approach
The primary reason for SPF failures is exceeding the 10-lookup limit, often due to chained include mechanisms. To fix this, translate includes into their approved IP addresses, directly list IPv4 and IPv6 addresses, and use managed “flattening” methods or automatic SPF generators. Merge overlapping IP ranges, eliminate unused SaaS senders, and favour redirect= for distinct business units. To prevent issues, insist that suppliers document their SPF record lookup activity when acquiring services, and implement regular automated compliance checks via Alert Manager.
For multiple SPF records, consolidate into one definitive record and validate before publishing. Use ~all only during initial phases, then switch to -all once all legitimate email routes are verified. Conduct diagnostic tests on standard routing IPs and verify SPF for each sending subdomain. Maintain cleanliness in vendor include entries and audit regularly.
Beyond SPF, publishing DKIM keys for every platform confirms cryptographic validity. Develop a DMARC policy aligned with the visible From domain, starting with p=none for monitoring before advancing to quarantine or reject. DMARC aggregate reports refine SPF configurations and highlight compliance issues. In the UK, overall DMARC adoption across analysed domains stands at 86.4%, but only 44.1% enforce a reject policy — meaning a substantial portion lack full spoofing protection. Government domains show 76.4% adoption, and UK higher education institutions enforce DMARC at 46%. SPF correctness is high at 93.7%, but DKIM adoption remains low at 22.7%.
Major providers such as Google and Yahoo now mandate DMARC, SPF and DKIM for bulk senders; Microsoft enforces similar requirements. Non-compliant emails face rejection or quarantine. PCI DSS v4.0 also mandates DMARC for organisations handling payment card data. For enhanced protection, consider MTA-STS to mandate TLS encryption and TLS-RPT to report on unsuccessful TLS sessions. BIMI (Brand Indicators for Message Identification) allows verified logos in inboxes when DMARC is enforced, boosting user trust. However, MTA-STS adoption in the UK is only 20.6% overall, with 16.1% in enforce mode, and BIMI adoption is a niche 0.4%.
Human error remains a significant factor in successful phishing attacks. Platforms such as KnowBe4 offer comprehensive training and simulated phishing exercises. When coordinating with sending systems like EasySender, ensure each platform’s sending hosts are accounted for in SPF records. Email verification services — including ZeroBounce, Kickbox, NeverBounce, Emailvalidation.io and Bouncer — help maintain clean lists and protect sender reputation.
Strategies for a reliable rollout: introduce changes in non-production subdomains and verify with an SPF raw checker. Begin with lenient settings (~all) while observing authentication outcomes, then shift to -all if legitimate emails remain unblocked. Automate monitoring using Reputation Monitoring, Email Health and Bettertracker, linked with Delivery Center dashboards. Schedule regular SPF tests following any vendor updates. Maintain detailed records of SMTP relays, SaaS solutions and IP ranges, ensuring alignment with overall email authentication strategies. For organisations serving clients, MSP, Reseller or Wholesale Program options from tool vendors can standardise implementations.
