Sender Policy Framework (SPF)* is a standard created in 2003 specifically to fight spoofing* – sending e-mails with forged sender address – and phishing* – sending forged e-mails to obtain sensitive and confidential information.
While SPF doesn't prevent a computer hacker from sending such messages, doesn't prevent you from receiving such messages and doesn't prevent someone from impersonating you, SPF does delete or give you a clear alert when you receive a message from a forged sender.
This is essential to make sure it is harder for your employees to be misled by spoofing and phishing and supplying your company's confidential data to hackers. It will also be harder for your clients to be misled or even you to be misled.
This minimizes the number of cases of industrial espionage and reduces the possibility of losing customers when your competitors illegally impersonate you.
SPF doesn't however completely solve the phishing problem. If you receive a message from a forged sender pretending to be your bank (e.g.: email@example.com) SPF deletes the message or gives you a warning. But if a hacker registers a domain name that is different but similar to "citibank.com", SPF correctly indicates that the sender is genuine. It is up to you or your employees to pay attention and note that the sender is similar to, but is not, your bank (e.g.: firstname.lastname@example.org or email@example.com).
Even with digital signatures (which are cryptographic means of ensuring genuine sender and unchanged content), a hacker can still digitally sign a message sent from a domain that belongs to him.
The last line of protection is therefore educating your employees to understand the dangers and protect themselves.
All our hosting includes SPF to prevent anyone from impersonating you (or rather, to ensure that the recipient – if he supports SPF as well – never receives forged messages). You don't have to do anything, SPF is automatic.
However, what SPF specifically does is to tell each recipient which is the outgoing message (SMTP*) server list that your company uses. This way, any e-mail with your sender address sent by some other SMTP server is immediately discarded as a forgery.
For this to work properly, you should provide us with the list of SMTP servers you use. As long as this list is short enough, your domain will be programmed with the corresponding SPF records, ensuring that recipients stop receiving forged messages.
When an e-mail message is received by our hosting, SPF records are checked. If they fail, the message is immediately deleted. Our Webmail also supports SPF, alerting you if you receive a forged message.
The Webmail goes beyond SPF and also supports other similar standards (Sender-ID*, DomainKeys* and DKIM*) giving you maximum protection against cyber crime.
More about our Webmail
SPF is not
There are numerous Internet articles criticizing SPF. The vast majority of them criticizes SPF of not having stopped spam*.
This is poor understanding of the goals of SPF. SPF intends to prevent spoofing which was just one more way for spam to enter our e-mail mail boxes: the sender would pretend to be a well known party.
Nowadays, due to SPF, spam and phishing are easier targets of legal actions. Both forms of crime can be more easily prosecuted in courts. But SPF doesn't prevent them and never intended to prevent them.