The result is that SPF passes, but DMARC fails. Confusion is introduced as people just want to get SPF into place to complete their DMARC deployment.This causes SPF records to bloat and introduces management challenges. Unnecessary “includes” are added into their SPF records.Two unwanted things happen because of this misconception: When an email receiver processes a piece of email, it will look at the company’s SPF record-not the SPF record of the customer. However, this ends up doing nothing if the company uses its own domain in the bounce address. DKIM fills the gap in the DMARC technical framework as an additional way to try and link a piece of email back to a domain.Ĭompanies often misunderstand how SPF works and instruct their customers to include the company’s own SPF record. Too many possible outcomes makes it difficult to attach meaning to the absence of the link that SPF can provide. Real email might have been forwarded which means the email could have come from anywhere and the list of allowed senders doesn’t help too much. The email might be real, but the list of senders might not be accurate. If not, then the server continues processing the email as usual without this link, as any number of things could be going on. If so, then a link has been established between the piece of email and the email domain.
When a sender tries to hand-off an email to an email “receiving” server for delivery, the server checks to see if the sender is on the domain’s list of allowed senders. The SPF mechanism uses the domain in the return-path address to identify the SPF record. The record is a list of all the IP addresses that are allowed to send email on behalf of the domain. To take advantage of SPF, you publish an SPF record in the DNS.