← RFC Reference

RFC 7208 — Sender Policy Framework (SPF)

Proposed Standard Email Authentication
ELI5: SPF is a list, published in your DNS, of who is allowed to send email as your domain. The receiving server checks it against the envelope sender. Because it lives in a TXT record, the sending domain has to be one that can hold records — not a CNAME'd apex.

Why This RFC Exists

RFC 7208 is the current SPF specification (it superseded the experimental RFC 4408). SPF lets receivers detect forged envelope senders.

How it works

A domain publishes a TXT record such as v=spf1 include:_spf.example.net ~all. Receivers check the message's envelope-from (MAIL FROM) domain against that record.

Why the sending domain matters

SPF authorizes the envelope-from domain, so that domain must publish a TXT record. A CNAME'd apex can't — so you publish SPF on a sending subdomain and send with the envelope-from on that subdomain.

Practical guide

For the hands-on setup, see Why you should use a subdomain for sending email.

Related RFCs

SPF — Sender Policy Framework
SPF — Sender Policy Framework
RFC 6376 — DomainKeys Identified Mail (DKIM) Signatures
RFC 6376 — DomainKeys Identified Mail (DKIM) Signatures
RFC 7489 — Domain-based Message Authentication, Reporting, and Conformance (DMARC)
RFC 7489 — Domain-based Message Authentication, Reporting, and Conformance (DMARC)
Email Authentication Explained
Email Authentication Explained
RFC 1034 — Domain Names: Concepts and Facilities
RFC 1034 — Domain Names: Concepts and Facilities