The key differences between Sender Policy Framework and Sender ID
The primitive version of SMTP (Simple Mail Transfer Protocol) didn’t have a feature to verify the email sender’s authenticity, leaving room for phishing and spoofing instances. Over time, emails became one of the most exploitable attack vectors. It was easier for threat actors to modify the ‘From’ field in an email to impersonate banks, governments, and well-known brands. They would send millions of potentially fraudulent emails each day, urging recipients to ‘reset their password’ or ‘verify their account,’ leading to credential theft.
This led to the evolution of the Sender Policy Framework (SPF) and Sender ID. Both of these solutions prevent email-based phishing and spoofing attacks; however, Sender ID became irrelevant over time. Let’s see how these two are different and why SPF prevailed over Sender ID.
What is SPF?
SPF is an email authentication protocol that the domain owner deploys to ensure that only authorized people send emails on their behalf. When SPF is implemented for your domain, unsolicited and unauthorized emails are either marked as spam by the recipient’s mailbox or are rejected.
It helps recipients stay away from phishing and spoofing emails sent in the name of your reputed business, shielding your brand image and ensuring email deliverability. This improves email deliverability, as legitimate emails are less likely to be marked as spam. SPF also strengthens a company’s brand reputation by ensuring that only authorized sources can send emails using its domain, protecting users from impersonation attacks. When combined with DKIM and DMARC, SPF plays a crucial role in comprehensive email authentication, making it harder for cybercriminals to exploit email as an attack vector.
How does SPF work?
Here is how SPF works to ensure only emails sent by authorized mail servers reach recipients’ inboxes.
Step 1: Domain owner publishes an SPF record
The domain owner creates an SPF record in the DNS (Domain Name System) settings of their domain. This record specifies which mail servers are allowed to send emails on behalf of the domain.
This is what a standard SPF record looks like-
v=spf1 ip4:192.168.1.1 include:_spf.google.com -all
Where,
- v=spf1 indicates the SPF version in use. As of now, there is only one version of SPF.
- Ip4:192.168.1.1 is the IP address officially authorized to be used for sending emails.
- include:_spf.google.com includes Google’s SPF policy (useful for Gmail and Google Workspace).
- -all instructs the receiving mailbox to reject emails sent from unauthorized sources.
Step 2: Email sent from the domain
When a sender tries to send an email (e.g., user@yourdomain.com), the recipient’s mail server checks the SPF record of ‘yourdomain.com’ to verify the sender.
Step 3: Recipient mail server performs SPF lookup
The receiving mail server extracts the Return-Path (Envelope From) domain from the email headers. Then, it queries the domain’s DNS records to find the corresponding SPF record.
Step 4: IP address validation
The receiving mail server checks if the sender’s IP address is mentioned as an authorized sender. If yes, the email is accepted; otherwise, it’s either rejected or placed in the spam folder.
Step 5: SPF policy applied
If the email fails SPF checks, one of the following actions is taken-
- If the domain owner has mentioned ~all (Soft fail policy) in their SPF record, then the unauthorized email is rejected.
- If the domain owner has mentioned -all (Hard fail policy) in their SPF record, then the unauthorized email is marked as spam.
- If the domain owner has mentioned ?all (Neutral policy) in their SPF record, then the unauthorized email is treated normally. It’s not at all advised to use this policy as it defies the whole purpose of securing emails through SPF.
Step 6: Email handling decision
If the email fails the SPF authentication checks, it is subjected to one of the above policies. If it passes, it undergoes additional security checks, such as DKIM and DMARC, before being delivered to the inbox.
What is Sender ID?
Microsoft introduced sender ID in the early 2000s as part of its broader initiative to secure email communication by verifying the sender’s legitimacy. Instead of just checking the Return-Path address, it checks the Purported Responsible Address of the email. Although sender ID is an obsolete protocol, its role in shaping modern authentication methods can’t be ignored.
How does Sender ID work?
The domain owner published a Sender ID record in their DNS settings, specifying all the mail servers they authorized to be used for sending emails on their behalf. When the receiving server got the email, it extracted the PRA domain and performed a DNS lookup to retrieve the sender ID record. It then compared the sender’s IP against the authorized list, applying a Pass, Fail, SoftFail, or Neutral policy. If Sender ID validation failed, the email could be rejected or marked as spam.
The key difference
| Feature | SPF | Sender ID |
| Authentication target | Checks sending mail server’s IP | Verifies the ‘From’ address |
| Record type | TXT DNS records | TXT or SPF records |
| Compatibility | Works with all mail servers | Works with all mail servers |
| Adoption |
Widely adopted |
Faced resistance due to Microsoft’s licensing model |
| Standardization | RFC 4408, later RFC 7208 | Proposed but not widely accepted |
Why did Sender ID become obsolete and SPF prevailed?
The main reason why Sender ID became obsolete is that it wasn’t compatible with modern systems. Industries didn’t openly adopt it because of its proprietary licensing concerns.
Since the Sender ID relied on the Purported Responsible Address (PRA), there were conflicts with existing email forwarding and mailing list mechanisms. This also triggered deliverability issues for the companies.
SPF, on the other hand, is capable of working with the existing SMTP infrastructure, which makes its deployment and management more effortless. Furthermore, as email security evolved with DKIM and DMARC, SPF seamlessly integrated into these frameworks, solidifying its role in modern email authentication, while Sender ID faded into obsolescence.