What is SPF Authentication?
To understand how SPF authentication for DMARC affects overall compliance, let’s look closer at its unique characteristics.
SPF can be evaluated in two ways: authentication and alignment. An email passes SPF authentication when delivered from an IP address published in the SPF policy for the domain found in the envelope “mail from:” designator. Essentially, the IP address that sent the email (Source IP in your Delivery Center report) must match an IP address published in the SPF record for the domain.
In the below example, SPF passes authentication:
Source IP = 93.184.216.34
Mailfrom Domain = example.com
Example.com SPF Record: v=spf1 a -all
Why? The SPF record has an “a” record for example.com that resolves to 93.184.216.34. Since the Source IP is included in the host’s SPF record, this message will pass SPF authentication.
On the other hand, messages fail SPF authentication when delivered from an IP address NOT published in the SPF policy for the domain found in the envelope “mail from:” indicator. The following example shows SPF failing authentication:
Source IP = 1.2.3.4
Mailfrom Domain = example.com
Example.com SPF Record: v=spf1 a -all
Why? The SPF record does NOT contain 1.2.3.4 as a permitted sender, thus the message isn’t up to par.
For more SPF authentication examples, please see RFC7208 Page 55.