Summary
All sources, including documentation, experts, and email marketers, agree that SPF records should authenticate the Return-Path domain (also known as the MAIL FROM or envelope sender), used during the SMTP transaction. The 'From:' address is authenticated via DKIM and DMARC, and generally doesn't need its own SPF record. Properly configuring SPF for the Return-Path and DKIM/DMARC for the 'From:' address is crucial for email deliverability, particularly when using different domains for each.
Key findings
- SPF Authenticates Return-Path: SPF is designed to authenticate the Return-Path domain, which is used during the SMTP transaction.
- DKIM/DMARC for 'From:': DKIM and DMARC are responsible for authenticating the 'From:' address.
- No SPF for 'From:' Needed: Generally, it's not necessary to publish an SPF record for the domain used in the user-visible 'From:' address.
- Marketo Return-Path Data: Marketo includes data (Munchkin ID, campaign details) in its Return-Path address, which should be considered during SPF configuration.
- SPF and Forgery: The primary function of SPF is to prevent sender address forgery.
Key considerations
- Return-Path Configuration: Focus SPF configuration on authorizing the sending sources for the Return-Path domain.
- DKIM/DMARC Setup: Ensure correct DKIM and DMARC configuration to authenticate the 'From:' address, especially when it differs from the Return-Path domain.
- Deliverability Impact: Incorrect or incomplete SPF and DKIM/DMARC setups can significantly impact email deliverability.
- Bounce Handling: The Return-Path domain is used for handling bounces and other delivery-related notifications.
- Comprehensive Authentication: SPF, DKIM, and DMARC must work together to provide a comprehensive email authentication strategy.
What email marketers say
8 marketer opinions
The consensus is that SPF records should align with the Return-Path domain (also known as the MAIL FROM or envelope sender) rather than the 'From:' address. SPF authenticates the sending server for the Return-Path domain, which is used for bounces and delivery-related communication. While the 'From:' address is important for branding and user perception, it is authenticated through DKIM and DMARC. Using different domains for the Return-Path and 'From:' address requires proper configuration of DKIM and DMARC to avoid deliverability issues.
Key opinions
- SPF and Return-Path: SPF authenticates the domain used in the Return-Path (MAIL FROM).
- From: Address Authentication: The 'From:' address is authenticated through DKIM and DMARC, not directly by SPF.
- DMARC Alignment: DMARC uses SPF and DKIM to verify the 'From:' domain.
- Marketo Return-Path Data: Marketo includes data in the Return-Path address (Munchkin ID, campaign details).
- SPF Purpose: SPF's primary goal is to prevent sender address forgery.
Key considerations
- Domain Alignment: If the 'From:' and Return-Path domains differ, ensure proper DKIM and DMARC setup.
- Deliverability Impact: Incorrect SPF configuration can lead to deliverability problems.
- Bounce Handling: The Return-Path is used for bounce and delivery notifications.
- Authentication Standard: SPF, DKIM, and DMARC work together to provide comprehensive email authentication.
- Marketo Specifics: Consider the data Marketo includes in its Return-Path addresses when configuring SPF.
Marketer view
Email marketer from Mailjet answers that SPF should align with the domain used in the Return-Path, as this is the address used for bounces and delivery-related communications. The 'From:' address is a separate consideration for sender reputation and branding.
24 Feb 2024 - Mailjet
Marketer view
Email marketer from Email on Acid notes that SPF is used to authenticate the envelope sender (Return-Path), so the SPF record must include the sending sources authorized to send mail for that domain. DKIM can then be used to verify the 'From' domain. DMARC ties it all together.
6 May 2025 - Email on Acid
What the experts say
3 expert opinions
The expert consensus is that SPF records should align with the Return-Path domain, also known as the envelope sender, as this is the address authenticated during the SMTP transaction. It's generally unnecessary to publish an SPF record for the domain in the user-visible 'From:' address. The authentication of the 'From:' address is handled by DKIM and DMARC.
Key opinions
- SPF and Return-Path: SPF authenticates the Return-Path domain (envelope sender).
- From: Address Authentication: The 'From:' address is handled by DKIM and DMARC.
- No SPF for From:: Generally, no SPF record is needed for the domain in the 'From:' address.
- SMTP Transaction: The Return-Path address is used during the SMTP transaction.
Key considerations
- Domain Alignment: Focus SPF configuration on the Return-Path domain.
- DKIM/DMARC: Ensure DKIM and DMARC are properly configured to authenticate the 'From:' address.
- Deliverability: Proper configuration is crucial for email deliverability.
Expert view
Expert from Word to the Wise explains that SPF is related to the Return-Path (the envelope sender). The domain in the 'From:' header is handled by DKIM and DMARC.
1 Aug 2024 - Word to the Wise
Expert view
Expert from Email Geeks explains that the SPF record should be for the domain used in the Return Path, not necessarily the user-visible From: address. Also you generally don't need to publish a SPF record for the domain in your user visible From.
3 Oct 2022 - Email Geeks
What the documentation says
3 technical articles
Official documentation consistently states that SPF records should authenticate the MAIL FROM address, also known as the envelope sender or Return-Path. This address is used during the SMTP transaction. The 'From:' header address, which is what the user sees, is authenticated by DMARC in conjunction with DKIM, not by SPF.
Key findings
- SPF Usage: SPF authenticates the MAIL FROM (Return-Path) address.
- SMTP Transaction: SPF is used during the SMTP transaction to verify the sender.
- From: Address Handling: The 'From:' address is authenticated by DMARC and DKIM.
- MAIL FROM Identity: SPF checks are performed on the Return-Path domain during email delivery.
Key considerations
- Return-Path Focus: Ensure SPF records accurately reflect authorized sending sources for the Return-Path domain.
- DMARC and DKIM Setup: Proper DMARC and DKIM configuration is essential for authenticating the 'From:' address and ensuring deliverability.
- Authentication Hierarchy: Understand the roles of SPF, DKIM, and DMARC in the overall email authentication process.
Technical article
Documentation from DMARC.org shares that SPF authenticates the domain used in the Return-Path (also called MAIL FROM or envelope sender). This is distinct from the 'From:' header address, which is covered by DMARC in conjunction with DKIM.
17 Jan 2023 - DMARC.org
Technical article
Documentation from RFC Editor defines SPF as authenticating the MAIL FROM identity, emphasizing that it is the Return-Path domain that undergoes SPF checks during email delivery.
10 Jul 2021 - RFC Editor
Against which domain is SPF checked?
Are SPF, DKIM, and DMARC records necessary for transactional email servers not used for marketing?
Can a sender modify SPF records to alter SPF checking behavior?
How do I align SPF authentication with my sending domain in Google Postmaster Tools?
How do I properly set up SPF and DKIM records for email marketing, including handling multiple SPF records, IP ranges, bounce capturing, and Google Postmaster Tools verification?
How do SPF, DKIM, and DMARC email authentication standards work?
