Limitations of SPF: What SPF Can't Do
Now that we've answered "what is an SPF record?", we should discuss what sender policy framework records cannot do. SPF authentication provides the bare minimum of safety for your email campaigns.
Some of the limitations to consider include:
- SPF does not encrypt messages.
- These frameworks do not provide any privacy enhancements.
- Forwarding an email breaks the SPF because the forwarder becomes the new sender.
- An SPF does not generate reports.
- SPF alone does not provide enough protection.
What Do You Need to Know About SPF?
Using sender policy framework records tells your recipient that your message is not spoofing, spamming, or attempting to scam them. Every company faces challenges when establishing trust. When you increase confidence through this verification process, you decrease resistance to your message. Using SPF also helps improve cybersecurity for the recipient.
Here are some important things to note about SPFs:
- An (SPF) sender policy framework is a list of IP addresses and instructions for internet service providers to follow when handling your outgoing email.
- Your SPF provides a layer of protection that makes your messages more likely to reach the intended receiver.
- An SPF email record does not encrypt your messages.
- SPF records appear in the full headers of your message.
- The SPF domain listed first in the "include" mechanism demonstrates that you have taken at least some minimum precautions to protect your personal and business data.
SPF vs. DMARC vs. DKIM
The Internet Engineering Task Force published the current SPF protocol in RFC 7208 in April 2014. The purpose was to create a consensus on keeping hackers and phishers from sending emails that supposedly come from a known, trusted organization. That consensus became spf1, and from that point forward, v=spf1 became the standard format for the beginning statement of every SPF record. However, forwarding a message invalidates the SPF. Consequently, two additional strategies have come into play: DKIM and DMARC.
What Is DKIM?
DKIM is an acronym for DomainKeys Identified Mail. Like SPF, DKIM is a TXT record in the DNS. However, DKIM records remain valid even when forwarded. Current DKIM standards arose from efforts by Yahoo! and Cisco, who had each created their email authorization standards. Think of DKIM as the wax seal once applied to official documents. These wax seals were recognizable; if a message arrived with a missing or broken seal, it was not considered trustworthy.
Every dispatching email server has a two-part DKIM: the private DKIM key and a public key. Every receiving server accesses the public half of that key. The receiving email server performs a lookup in the DNS when you send your email message. If that email server finds your public DKIM key, it opens the DKIM signature. If the signature in the message matches the signature you published in your DNS, the receiving email server considers that message valid. If not, that message bounces, which means it does not reach the intended receiver's inbox. Instead, it might not get delivered, go to the spam folder, or go to whatever other folder the user has set up to deal with such messages.
The correct format for DKIM records looks like this:
<selector(s=)._domainkey.domain(d=)>. TXT v=DKIM1; p=\<public key>
Here is a sample DKIM public key in the correct format:
dk5182-3458._domainkey.mydomainexample.com. IN TXT "v=DKIM1\; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC1TaNgLlSyQMNWVLNLvyY/neDgaL2oqQE8T5illKqCgDtFHc8eHVAU+nlcaGmrKmDMw9dbgiGk1ocgZ56NR4ycfUHwQhvQPMUZw0cveel/8EAGoi/UyPmqfcPibytH81NFtTMAxUeM4Op8A6iHkvAMj5qLf4YRNsTkKAV;"
What Does Each Part of a DKIM Record Do?
In this example, dk5182-3458 represents the selector (s=). The (d=) represents the specified domain, mydomainexample.com. The version must always appear as "v=DKIM1'' in every DKIM record. The "p" mechanism represents the public code, a string of letters, numbers, and symbols.
What Is DMARC?
DMARC stands for Domain-based Message Authentication, Reporting & Conformance. DMARC prevents malicious activity by blocking messages from spoofers before they reach your inbox. Spoofers pretend to represent you to glean the information they can use for ID theft or other types of fraud.
When you use DMARC, you slam the door shut on these attempted intrusions. DMARC uses open-source, free-to-use code. However, your email service provider must also use DMARC protection. DMARC provides a third layer of protection after SPF and DKIM.
DMARC allows you to tell your email service provider whether to reject or quarantine emails from untrustworthy or unknown sources based on information received after DKIM and SPF queries.