What is SPF in anti-spam, How do I set it up to allow email through and prevent from blocking?

As spam, and more importantly, phishing and other malicious emails are becoming a more and more serious issue, companies are installing email filters such as TopSec Blockmail or Barracuda.

These mail filters scan the emails on many levels and use AI, keyword triggering, blacklist lookup and many other ways to determine if an email is safe to deliver or not.

One of the most basic checks, yet not well understood, is the SPF record (Sender Policy Framework). (more information at WIKI as well)

SPF basically says “email from anyone@mycompany.com, MUST come from one of these IP addresses or email servers. If it comes from somewhere else, don’t trust it!” This stops ne’er do wells in far off countries sending emails to your partners disguised to look like they are coming from your company saying, “please pay us money” or “our bank details have changed” “please provide your security details”.

Think of it like telling all your clients, “If someone from our company calls on the phone, the caller ID number will be one of these phone numbers. If someone rings saying they are one of us, but have a different caller ID phone number or number blocked, don’t trust them.”  


The SPF record is the responsibility of each company sending email to configure correctly, so their email is accepted by other receiving mail filters. When any company sets up an email domain and website, they will pay a hosting company for the use of their email hosting (Currently Microsoft365 is the most common one, but others include Smartservers, Googleapps, etc) When your internet web and email guru sets up your DNS records (www, MX record etc) they should also set up your SPF records at that time to say “all email from email address@mycompany.com must come from this email host  or it should be treated as suspicious.”

It is possible to add a sender to a whitelist which says “accept all emails from @thiscompany.com”. This is extremely dangerous as this will bypass the virus filters, the checking against known spammers, the checking if the email is hacked or fraudulent pretending to be from that company (Spoofed). IF that company gets hacked and the hacker sends email to all their partners with malicious intent, it wont be caught by the email filter because you have whitelisted them.

So it really  is up to the sender to correctly set up their sending security records (SPF) , it is not the responsibility of the receiver to change their security to allow you in.
If emails from xyz.com are being blocked by your email filter, then they are being blocked by   countless other companies filters too, so they are having trouble left right and centre, and are open to hijack exploits.

I cant imagine a large corporation like Toyota, Microsoft BHP or the government opening their filters every time an organisation has troubles sending to them.
“Hey Westpac, please change your filter so mum&dad.com.au can send you an email”

In other words.. You dont change lock to fit the key, you get a key that fits the lock.

At Sterling IT have the expertise and experience to advise, configure, implement and support your domain and records as well as advising of and configuring an anti-spam and email security system that fits your needs. Please get in touch and we can design and enable the correct bespoke solution for your company.

by James Cullen

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.