Does SPF authenticate the 'From' header directly?

The short answer is no. This is a very common and understandable point of confusion when it comes to email authentication. Sender Policy Framework (SPF) does not directly authenticate the 'From' address that you see in your email client. Instead, it authenticates a different, hidden address used during the email's transmission.

This distinction is critical for understanding email security and why protocols like DMARC are so important. While SPF is a fundamental building block, it only validates one part of an email's identity.

SiteGround says:

Visit website

Although the email SPF record does not verify the “From” field of a message, it confirms a part of the email header that is not visible at first sight.

Suped DMARC monitor

Free forever, no credit card required

Get started for free

Trusted by teams securing millions of inboxes

To grasp why SPF works this way, you need to know that every email has two 'From' addresses:

• Header From (RFC 5322.From): This is the friendly, visible address displayed in your email client's 'From' field. It's designed for humans to read and is part of the email's main body of headers.
• Envelope From (RFC 5321.MailFrom): This is a technical address used in the SMTP (Simple Mail Transfer Protocol) conversation between mail servers. It's often called the 'Return-Path' or 'bounce address' because it's where non-delivery reports are sent. This address is what SPF authenticates.

DuoCircle says:

Visit website

The “from” header is the one that most clients see as the original sender of the message. SPF validates the “envelope from” and not the “header from” to authenticate the sender.

Because these two addresses can be completely different, a simple SPF check isn't enough to prevent sophisticated spoofing.

The SPF authentication process is a server-to-server check that happens behind the scenes. When an email is received, the receiving mail server looks at the 'envelope from' address from the SMTP transaction. It then performs a DNS lookup to find the SPF record for that address's domain. This TXT record contains a list of IP addresses that are authorized to send email on behalf of that domain, as explained by Klaviyo's help center.

If the sending server's IP address matches one of the authorized IPs in the SPF record, the check passes. The result is then typically stamped into the email's headers in a field called Received-SPF.

The primary weakness of SPF, when used alone, is that there is no requirement for the 'envelope from' domain to match the 'header from' domain. This creates a loophole that phishers and spammers love to exploit.

AutoSPF says:

Visit website

A potential risk arises when both addresses don't match and SPF does not directly validate the From header. This misalignment opens avenues for unauthorized use of your domain in the visible 'From' field, leading to phishing and spoofing attacks.

Imagine an attacker sends an email with the following properties:

• Envelope From: attacker@shady-domain.com (The attacker has set up a valid SPF record for shady-domain.com, so this passes the SPF check).
• Header From: billing@your-trusted-bank.com (This is what the recipient sees in their inbox).

The email passes SPF, yet it is a clear spoofing attempt. The recipient is tricked into thinking the email is from their bank, making them vulnerable to phishing.

This is where DMARC (Domain-based Message Authentication, Reporting, and Conformance) becomes essential. DMARC acts as a policy layer on top of SPF and DKIM. One of its key functions is to check for 'identifier alignment'.

For an email to pass DMARC using SPF, two conditions must be met:

• The email must pass the standard SPF check.
• The domain in the 'envelope from' (which SPF checked) must match the domain in the 'header from' (what the user sees). This is SPF alignment.

By enforcing this alignment, DMARC closes the loophole. In the spoofing example above, the email would fail the DMARC check because shady-domain.com does not align with your-trusted-bank.com. A DMARC policy can then instruct the receiving server to quarantine or reject the fraudulent message.

In conclusion, while SPF is a crucial first step in authenticating your sending sources, it does not validate the sender address that your users see. It validates the hidden 'envelope from'. To fully protect your domain from being spoofed, you must implement DMARC to ensure the visible 'From' address is the one being authenticated.