Jan/Feb 2006

Ask the Expert: What is Sender Policy Framework (SPF) and why is it important to my nonprofit organization?

by Dr. David Crooke, Founder and CTO, Convio

Sender Policy Framework (SPF) is emerging as the standard to address one part of the huge problem created by spam — namely to provide some level of assurance that senders are who they claim to be. This will not stop spam, but it provides another data point that can be used by Internet Service Providers (ISPs) to distinguish spam from legitimate email.

Why does SPF matter to organizations doing email marketing?

Major consumer ISPs such as AOL, Hotmail, Yahoo! and Google Gmail have started to perform SPF checks on inbound mail. A positive confirmation via SPF that an email is legitimate and authorized is important for maximizing the likelihood that an organization’s fundraising and other email messages will be delivered.

How does SPF work?

The owner of an Internet domain, for example "foo.org", will publish records in the DNS zone (or, Domain Name System — the system by which all Internet service addresses are created, maintained, and used) for foo.org that determine which servers on the Internet are allowed to send email claiming to be from addresses in that domain. A mail server receiving email that claims to be from foo.org can look up these records and determine if the sending server is authorized to send email for that domain.

What are the recent technical developments in SPF?

The original SPF concept focused on verifying the "Return-Path" header from an email, often called the "envelope sender". This is helpful, but the header almost never is shown to an email user, and can be different from the more familiar "From" address that all email software will display.

The latest version of SPF (version 2.0) has incorporated the concept of a "Purported Responsible Authority" (PRA) address (i.e., Who does this email claim to be from?), and applies similar tests to that address as well. For most emails, the PRA is the familiar "From" address.

How does SPF need to be set up for an organization?

To fully benefit from SPF, there must be two sets of records — one for the Return-Path and one for the PRA. The former is usually managed by the organization's Email marketing Service Provider (ESP) for example, the Return-Path address on our clients’ Convio system-generated email is a convio.net address. So, SPF records for that address are Convio's responsibility, and we already have published SPF records for that domain.

The "From" address in broadcast emails typically will use an Internet domain owned by the client. This means that SPF records identifying the ESP as a legitimate source of email also need to be published in the client's DNS.

How do organizations add SPF records to their DNS?

An SPF record is published as the value of a TXT record type, whose name is the domain itself. An organization’s IT department should publish the appropriate SPF records. Organizations without an IT department should ask their DNS hosting provider to help them set up their SPF records properly.

Where can I learn more about SPF?

There are numerous online forums, mailing lists, etc. One particularly useful site is http://spf.pobox.com/. Just remember: Although SPF is a minor piece of the deliverability puzzle, it is a small but worthwhile one-time effort for organizations to configure SPF for their domains. 

Convio clients: Find SPF configuration information located at http://customer.convio.com/WhatIsSPF (requires client login).


Ask the Expert: What is Sender Policy Framework (SPF) and why is it important to my nonprofit organization? | Convio