ITS supports the use of SPF records on our system to validate our hosting clients' outgoing e-mail. SPF (Sender Policy Framework) and Sender ID are two similar methods to prevent others from sending e-mail using your domain name. Below we have answered several questions regarding SPF.

Implementing SPF

If you would like us to implement SPF for a domain name that is hosted by ITS, please contact our Technical Support department for assistance. We will need to know (and can assist you with determining) the identities of any mail servers that might send out e-mail using your domain name. For example:

  • Hosted email platform like Microsoft 365 or Google Workspace
  • Web server
  • Third party mail server used for SMTP relay
  • Internal mail server in your office
  • Programs in your office sending backup logs, updates, e-mail notices, etc.
  • Bulk mail services, mailing lists
  • E-commerce providers such as credit card processors sending receipts

Please contact our Technical Support department for assistance in setting up SPF for your domain.

For general information on using SPF, or if your domain is not hosted with ITS, see www.open-spf.org.

Frequently Asked Questions

Will SPF prevent others from using my domain to send spam?

It will help others detect forged e-mails, however, the receiving e-mail server must check the SPF status for arriving messages, and not all mail servers do that yet. However, there are plenty of anecdotal stories about domain owners that implemented SPF and saw a marked dropoff in spoofed spam traffic after a few weeks.

Will SPF reduce the spam I receive?

It depends. SPF seeks to prevent e-mail with forged sender addresses. As a technology, SPF will also help guard against "phishing" schemes where scammers send e-mails claiming to be from your bank, Paypal, credit card company, or other financial institution, to trick you into revealing your account information. So technically SPF doesn't prevent spam, though mail servers that check for SPF on incoming mail will block spam using forged domains.

However, the obvious next step would be to compile a list of all the Internet domains that DO send spam, and stop accepting mail from them.

There are other, more direct ways to stop receiving spam in your inbox.

How does SPF work?

SPF provides a way for a domain to tell the world that mail "from" that domain should only arrive from a specific list of mail servers. If the recipient's mail server checks, it can reject mail that arrives "from" a domain that comes from any other mail server.

A postal mail analogy would be that an envelope addressed to you from your sister arrives. You realize the envelope is postmarked from Zimbabwe, and you know your sister is in Cleveland, thus you know the letter is fake and can throw away the letter without bothering to read it.

What is Sender ID?

Sender ID is a method by Microsoft that - similar to SPF - checks inbound e-mail for validity. The public has been slower to adopt Sender ID since Microsoft has claimed a patent on parts of the validation technique, and has implemented Sender ID in such a way as to interfere with parts of SPF, generally causing confusion and uncertainty. HotMail and MSN are prominent users of Sender ID.

Why are Hotmail and MSN blocking e-mail?

Microsoft, in an effort to kick-start SPF and Sender ID, began marking incoming e-mail that fails Sender ID tests. In fall 2005 Microsoft began strictly enforcing SPF checking for inbound e-mail. We expect over time more and more hosting providers will reject mail that fails SPF tests.

Note that Hotmail is also known to "black hole" (delete) mail for no apparent reason, instead of returning it undelivered. SPF/Sender ID will not "fix" this behavior.

Does ITS check SPF on incoming e-mail?

ITS web hosting and ITS Mail Guard check e-mail arriving in your mailboxes for SPF validity.

Why wasn't SPF implemented years ago?

SPF was introduced in 2003. Unfortunately the SPF standard had been changing to ensure it could handle all possible situations, and until 2006 or so was not stable enough to implement worldwide. The emergence of Sender ID followed by the conflict over Microsoft's patent claims has arguably delayed implementation.

Does my domain HAVE to use SPF?

Traditionally, no, domains without an SPF record should be recognized as such and mail from those domains should not be rejected. As SPF grows in popularity over the next decade, however, mail from domains without SPF may be subject to additional spam filtering.

However in 2022 Gmail began (incorrectly) requiring SPF or DKIM pass to accept mail.

What if my SPF record is invalid, like when I change mail servers?

If you so something like add an in-house mail server (or change ISPs for your office), change hosting providers, or add an outside mail service, you should update your SPF records right away. In fact, you should plan to update your SPF records ahead of time. Otherwise mail generated by those servers will be marked as failing the SPF test.

Technically what does SPF do?

SPF does not protect the "From" address on a message, which is very difficult to do for a variety of reasons. Instead it protects the "Return Path" header that is often not visible in e-mail client software but is intended to indicate the actual sender of the message when mail servers communicate with each other. SPF compares the supposed sender of a message with the list of servers the "sender's" domain says are allowed to send mail. If the sending server is on the list, it is considered a valid message.

By contrast, Sender ID tries to protect the "From" address.

Are there any problems with SPF?

Yes, as the world transitions from "innocent until proven guilty" to "assume e-mail is spam unless proven innocent" there will be conflicts. For one, forwarding e-mail from your domain to another mailbox becomes more difficult as the sender's mail now appears to arrive at its destination from the intermediate mail server, in violation of the original server's SPF. Also, spammers may eventually resort to registering thousands of throwaway domain names just to send one spam message each. There are proposed solutions to each of these problems however.

What if I have subdomains?

A subdomain, such as office.teamITS.com or naperville.teamITS.com is often used on internal networks in lieu of something like teamITS.local. Each subdomain or hostname needs its own SPF record, even if only to say that mail is never sent using that name. SPF provides a way to tell the world that any mail purporting to be from that domain is forged.

Also realize this advice applies to what are traditionally considered "hostnames" such as ftp.teamITS.com, mail.teamITS.com, or www.teamITS.com.

Please note: the information on this page applies to ITS web hosting plans. It may or may not apply to other environments. If you are looking for a feature described here, or better support from your hosting provider, please consider hosting your site with ITS!

1555 N Naperville/Wheaton Road, Suite 107
Naperville, IL 60563
phone 630.420.2550
fax 630.420.2771