SPF is not a security feature, as it solves the wrong problem
SPF is one of my hot button issues, or rather how all too often influential people seem to think that SPF is a good idea. A lot of the time these people seem to think that a hard-fail SPF policy is a security feature, something that will prevent forgery of email as being from their company or organization. These people are wrong, at least in any practical sense.
The problem with SPF as a security feature is that it protects the
wrong thing. To the extent that it does anything, SPF protects the
(SMTP) envelope sender, ie the
MAIL FROM domain, and the envelope
sender is effectively invisible to people reading their email.
I am an email expert and even I do not configure my mail client to
display the envelope sender; like everyone else, I see the
header. Ordinary people generally don't even know that a separate
envelope sender address even exists.
What this means is that an attacker who wants to forge email from
your domain is not at all deterred by your hard-fail SPF policy.
They just put something else in the envelope sender, put your domain
From:, and mail away. It's extremely unlikely that anyone
will notice anything or that any automated systems will lower the
reputation score of these forged email messages (at least for that
reason). And I'm being extremely generous here, since I'm assuming
that people even see or look at the domain of the
as opposed to simply seeing some user-friendly version of it that
may be based on, eg, the name in the
From: instead of the domain.
(For example, GMail will show you the domain of the
From: but it
seems to de-emphasize it, using smaller type in a lighter shade
compared to the person's display name. If people aren't already
suspicious, how likely are they to notice a mismatch in such a
If you want a security feature that tries to block people forging
your domain in a meaningful sense, you want DMARC.
DMARC specifically exists to protect the
From: domain and in the
process the integrity of your legitimate email, so that it can't
be either forged or altered. SPF has nothing to do with this. Of
course even preventing forged
From: domains is not a great
protection, but at least DMARC
does something useful with only moderate collateral damage, unlike
(SPF does not really solve any problem, especially these days. The one problem it might solve it doesn't because lots of MTAs sensibly ignore it. See the sidebar here and of course SPF also has major downsides.)