The Sender Policy Framework (SPF) is a community-based effort that requires senders to publish their mail server in an SPF record. This record is used to detect forged senders.

How does SPF work?

The basic idea behind Sender Policy Framework (SPF) is simple: whenever an email is received a check is made to see if the server which sent it is allowed to send emails on behalf of the senders’ domain.

For example: you receive a message from ‘’ from a machine with IP ‘’. SPF works by asking ‘’ if ‘’ is allowed to send email on its behalf.

For SPF to work, the sender’s domain (‘’ in this example) must publish, via DNS TXT records, the hosts which are allowed to send email on its behalf. Thus SPF requires both sender and recipient collaboration. If this information is not published, then SPF will return ‘unknown’, or ‘none’.

SPF checks the last external IP. If GFI MailEssentials is installed on a machine in the perimeter then the last external IP is easily obtainable by checking the IP of the mail server that connected to Internet Information Services (IIS).

If GFI MailEssentials is not installed on the perimeter server, you need to configure the perimeter SMTP servers that are receiving emails from the internet. GFI MailEssentials will parse the message headers for the ‘Received lines’ which will contain the IP addresses of the servers from where the message has passed. To get the IP address of the sender’s mail server, GFI MailEssentials checks all the IP’s in the header until an IP is:

  1. Found in the perimeter SMTP servers list.
  2. Followed by an IP address which is not in the perimeter SMTP servers list. The latter IP is the external IP.

The following example assumes that is in the perimeter list. GFI MailEssentials is installed on ‘hostb’ and is being forwarded email from ‘hosta’ (

Received: from hosta ([]) by hostb with Microsoft SMTPSVC;
Tue, 11 Jan 2005 18:53:30 +0100
Received: from ([]) by hosta with Microsoft SMTPSVC;
Tue, 11 Jan 2005 18:53:19 +0100

From: <>

Using the logic detailed above, GFI MailEssentials will find the perimeter IP which is followed by a non-perimeter IP, in this case If confirms that is allowed to send email on its behalf, the email will be passed through the rest of the anti-spam plug-in, otherwise the email is marked as spam.

Points to note:

  • It is important to note that all public perimeter IP’s should be included in the GFI MailEssentials configuration as GFI MailEssentials will search for them when parsing message headers.
  • Confirm which DNS-server GFI MailEssentials uses. In most cases this will be an internal DNS server. If you have an external zone in your internal DNS server, then you need to setup the SPF-record for your domain in the DNS-record of your internal DNS server as well as the external one.
  • More information regarding the Sender Policy Framework (SPF) can be found at:
  • Further information on how to create an SPF record for your domain can be found in the following Microsoft Knowledgebase article:

In Part 2 of this article we will be reviewing how to create SPF records for your domain and determine domain names.

Get your free 30-day GFI LanGuard trial

Get immediate results. Identify where you’re vulnerable with your first scan on your first day of a 30-day trial. Take the necessary steps to fix all issues.