SPF (Sender Policy Framework) authentication is an email validation protocol that verifies if a server is authorized to send emails on behalf of a specific domain. It does this by checking the sender's IP against the domain's SPF record in DNS. For SPF to pass under DMARC, alignment is crucial—ensuring the domain in the "Envelope From" matches or aligns with the domain in the "From" header. Without both authentication and alignment passing, an email will fail SPF check.
Compatibility in SPF authentication refers to how well different email systems and configurations support SPF checks and alignment. It ensures that the SPF mechanism functions consistently across various Email Service Providers (ESPs) and receiving servers.
The degree to which different Email Service Providers (ESPs) support SPF and implement SPF alignment varies.
SPF Alignment
SPF alignment occurs when the domain in the "Envelope From" (MAIL FROM) matches or aligns with the domain in the "From" header of the email. This is crucial for DMARC compliance, as it verifies the legitimacy of the sender's domain.
- Strict Alignment: The domain in the "Envelope From" must exactly match the "From" domain.
- Relaxed Alignment: The domains must share the same organizational domain (e.g., subdomain matches the parent domain).
SPF Capability
- Non-Capable: Such sources cannot achieve SPF alignment and do not contribute to authentication. No need to keep this kind of sources in your SPF record, since they are causing unnecessary DNS lookups.
- Sub-Domain Capability: Some sources may only be capable of alignment on sub-domains. In such cases, you can configure SPF records separately for sub-domains. No need to have this kind of sources in your root domain’s SPF record, they should be configured on a subdomain level.
- Capable: Sources marked as "capable" (in the EasySPF) are typically capable of alignment and can be retained in your SPF record.
Now let’s review the capability of some popular ESPs.
Microsoft 365 (Exchange Online)
SPF Alignment: Supported / capable
Notes: Add include:spf.protection.outlook.com to your SPF record for SPF compliance.
SPF Alignment: Not supported / non-capable
Notes: Use DKIM for Hubspot to maintain DMARC compliance.
SPF Alignment: Not supported / non-capable
Notes: Use DKIM for Mailchimp domain authentication to maintain deliverability.
SPF Alignment: Subdomain capable
Notes: SES requires region-specific DNS entries for proper operation (e.g., amazonses.com for the specific region).
SPF Alignment: Subdomain capable
Notes: SPF record for SendGrid is typically CNAME entries published on a designated subdomain provided by SendGrid.
Understanding the SPF alignment capabilities and limitations of your ESP is essential for achieving DMARC compliance and improving email deliverability. Whether you're leveraging the flexibility of Amazon SES or the simplicity of Gmail, configuring SPF correctly ensures secure and effective email communication.