All Collections
Learn about SPF
Does SPF protect my domain from spoofing?
Does SPF protect my domain from spoofing?

Information on how SPF works, what identifier it uses for authentication and how to protect your domain from being spoofed.

Ivan Kovachev avatar
Written by Ivan Kovachev
Updated over a week ago

SPF does not protect the From address from being spoofed. This is the address that end users see in their mail clients, also called the (header-from, friendly from and RFC5322).

SPF is a path-based authentication protocol that authenticates the MAIL FROM (also called Envelope-From, Return-Path, bounce address and RFC5321) which is not visible to the end user unless they look at the metadata of the message. SPF tells receiving MTAs if the sending IP address is allowed to send on behalf of the domain found in the MAIL FROM address. This does not authenticate the From address, so anyone can create a domain and SPF record that authenticates it and still put whatever they want as the From address in an email.

In order to protect the From address you will have to implement DMARC as it requires that the domain found in the MAIL FROM align with the From address.

Did this answer your question?