For some time now I’ve considered Sender Policy Framework (SPF) records an essential part of domain name ownership. As it turns out there’s still some debate in tech forums as to whether SPF records are required or not.
SPF records are used to prevent spammers from spoofing your domain name. Recipient servers can use the SPF record you publish in DNS to determine whether an email that they have received has come from an authorized server or not. They can then make a decision about how to treat that email. You can read a more detailed run down of SPF records here.
Over recent years SPF has gone from a “nice to have” to a “must have”. Even if they aren’t perfect, they are quite effective and are part of being a good email citizen on the internet. But some email admins don’t see it that way, despite the fact that without an SPF record:
- Spammers can spoof your domain name to spam other networks, harming your brand’s reputation.
- Attackers can spoof your domain name for phishing and whaling attacks, potentially leading to ransomware, malware, and financial loss or fraud.
- Other email servers on the internet may reject your email because they can’t determine its legitimacy.
Any of those should be enough to spur you into action and implement an SPF record, and all three together are quite alarming. Even though I am personally a bit slack in creating an SPF record for every single one of my domain names, I do try to ensure that all my email domains have SPF records (so that my mail doesn’t get rejected), and any other important website domains also have SPF records even when I don’t use those domains for email (the SPF record still prevents spoofing).
It’s 2017. If you aren’t using SPF records by now, are you even doing your job as an email admin properly?
Update March 2018 – Changes rolling out to Office 365 ATP pretty much end this debate. Without good SPF/DKIM/DMARC for your domain, expect to get junked a lot.