How does SPF work?

The SPF check (after successful DMARC implementation) involves two processes: Authentication and Alignment. Both checks must be completed for the SPF check to pass. Here's a brief explanation of how they work:
  1. SPF Authentication Check:

    • The receiving server retrieves the SPF record for the "Return-Path" domain.
    • It compares the sending IP address to the authorized IPs in the SPF record.
    • If the sending IP is authorized, the email passes SPF authentication; if not, it fails.
  2. SPF Alignment Check:

    • This process compares the "From" header domain to the SPF-authenticated domain.
    • The comparison follows DMARC policy rules: strict (exact match) or relaxed (domain/subdomain match).

Together, these checks verify email authenticity and prevent spoofing, with SPF authentication occurring first, followed by SPF alignment as part of DMARC evaluation

Assume example.com wishes to allow two mail servers to send emails on its behalf. They may publish an SPF record like this: 

v=spf1 ip4:192.0.2.0/24 include:thirdparty.com -all

This record authorizes:

  • Any IP in the 192.0.2.0/24 range
  • All IPs authorized by thirdparty.com's SPF record (using the "include" mechanism)

When an email purporting to be from user@example.com arrives at a receiving mail server, the server determines whether the sending IP address matches one of these permitted IP addresses in the SPF record. If it does, the email will successfully pass SPF authentication.

For SPF alignment, the server compares the "From" header domain with the SPF-authenticated domain.

If the email is from user@example.com and the SPF-authenticated domain is also example.com, it passes SPF alignment. So, SPF alignment passes as well.