Email Authentication: Sender Policy Framework (SPF)

As of 2020, a new email security requirement is being implemented system-wide for all outgoing mail that is sent from at @*.umn.edu email address. This requirement is part of a standard used across educational and government entities called Domain-based Message Authentication, Reporting, and Conformance (DMARC) protocol. By verifying the authenticity of our email senders, we help to combat phishing scams, increase email security, and protect the University of Minnesota's reputation.

What is it?

Sender Policy Framework (SPF) is a method used to verify the identity of an email sending server in order to prevent email spoofing. Think of it as an electronic tool that allows an email recipient to verify whether a message that claims to come from someone was actually sent by that person.

Why is it important?

SPF is a tool that email hosts (ie: Google, Microsoft, etc) use to detect email phishing attempts. Spammers and phishers will often forge an email message's "from" address, and SPF provides a way an email host can verify that the server sending an email is actually authorized to send on behalf of that address.

How does it work?

With SPF, your email account provider (ie: Google) publishes a list of computers that are authorized to send mail from that provider's internet domain. When a recipient's mail host receives a message claiming to be from your provider, it asks your mail provider for that list and checks to see if the computer that delivered the message is listed on it. If so, then the recipient's mail host knows that the message actually came from your provider (and by extension, you). If not, then it knows that the message may be fake and should be handled according to your email provider's policy (which could be to reject, quarantine, or flag the message as spam).

How do people use it?

Generally, whether you use SPF or not is up to your email provider, but if you're someone who needs to send emails to a lot of people via a Customer Relationship Management (CRM) tool like MailChimp, you might be interested in using SPF (most CRM tools support SPF, but don't turn it on by default). By using SPF, you help ensure that your email messages don't get flagged as spam by your recipients' email providers. To set it up, you will need to refer to your CRM service provider's documentation on the subject but you can also contact Technology Help with any questions you have about SPF.

Additional Information

Last modified

Changed

TDX ID

TDX ID
3126