What SPF Does
SPF works by publishing a DNS record listing the mail servers authorised to send email from your domain. When a receiving mail server receives an email, it checks the SPF record to verify that the sender's IP address is listed. This process helps to prevent malicious actors from forging the 'envelope From' address, a common tactic in phishing and spam campaigns. SPF does *not* validate the 'header From' address, which is what recipients typically see. It’s a crucial first step in email authentication, but works best when combined with other technologies.
SPF in Australian Tenants Today
For AU mid-market organisations using Microsoft 365, a correctly configured SPF record is essential for meeting cybersecurity obligations. The ACSC Essential Eight recommends implementing email authentication to protect against common attack vectors. Consider including spf.protection.outlook.com in your SPF record to allow Microsoft to send email on your behalf. Regularly review and manage any ‘shadow senders’ – third-party services that may be sending email from your domain. As your email security posture matures, transition from a ‘~all’ (soft fail) to a ‘-all’ (hard fail) directive in your SPF record, alongside implementing DKIM and DMARC with reject policies, to maximise protection and align with best practice.