# Sender Policy Framework (SPF) When an SPF DNS record is specified, the recipient server checks the `Return-Path` domain's SPF record. If the sender's IP address is found in the SPF record, the e-mail will go through. The important thing to note is that SPF works with the `Return-Path` header and not the `From` header, which, unlike `Return-Path`, is visible to the end user as the source address. This means that a server with a valid SPF can send e-mails with a completely different `From` domain. [[Domain-Based Message Authentication, Reporting and Conformance (DMARC)|DMARC]] fixes this. SPF is configured using a TXT DNS record. Example: `v=spf1 ip4=192.0.2.0 ip4=192.0.2.1 include:examplesender.email a:spf.examplesender.email ~all`. - `ip4` is the server IP address - `include` looks up and includes the IP addresses listed in the given domain's SPF record - `a` includes addresses from the given domain's `A` and `AAAA` records - `~all` indicates that all other servers should be accepted but marked as spam (it's the so-called soft-fail). The alternative is `-all` which rejects all e-mails that fail the check. `~all` is recommended when [[Domain-Based Message Authentication, Reporting and Conformance (DMARC)|DMARC]] is implemented.[^1] If you're using [DNSControl](https://stackexchange.github.io/dnscontrol/) you should be using the [`SPF_BUILDER`](https://stackexchange.github.io/dnscontrol/spf-optimizer) for building SPF records instead of doing it yourself as it allows you to comment each part of the record and also allows for advanced functionality (see documentation). Example: ```js SPF_BUILDER({ parts: [ "v=spf1", "include:_spf.mx.cloudflare.net", "~all" ] }) ``` ## Sources - [[All You Need to Know About SPF, DKIM and DMARC]] - [[What Is a DNS SPF Record]] [^1]: https://www.mailhardener.com/blog/why-mailhardener-recommends-spf-softfail-over-fail