+

When is this SPF record used?

When an email arrives, the receiving email server will look up the relevant SPF record to validate that the email is coming from a valid source.

So which SPF record does it use, you ask?

The receiving email server looks for the Return-Path address of the email. This also happens to be the address used to send a message back to the sender if the email bounces. (You might also hear this called the envelope sender, mail from, or bounce address too.)

If you're curious about what this actually looks like, open up an email's raw source code, then look for the Return-Path header. It'll look something like this:

Message-ID: <CAOu7dXK8F9MEzSORa4L@dnsdigest.com>
Date: Thu, 15 Feb 2024 10:23:45 -0700
Return-Path: <xxxxxxxxx@pm-bounces.dnsdigest.com>
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
From: "John Smith" <john@example.com>
The Return-Path can be found in the email's raw source code

The receiving email server finds the SPF record based on the domain of the Return-Path, pm-bounces.dnsdigest.com. That's the SPF record in the dnsdigest.com DNS record set with the hostname of pm-bounces.

But how else might this SPF record get used?

This isn't the only time this SPF record might get used.

Alternatively, if the SPF record being used contains include:pm-bounces.dnsdigest.com in its value, it's telling the receiving email server to also check this SPF record to validate the email is coming from a valid source. Here's a made up example:

TXT | example.com | "v=spf1 ip4:192.0.2.0/24 include:pm-bounces.dnsdigest.com -all"
An example SPF value that includes this SPF record

This is why, when you are sending email from a third-party email provider, you're often asked to "include" their SPF record in yours, so all of the servers they permit are added to your SPF record.

So email servers aren't looking at the SPF record based on the displayed From address?

Correct. For SPF, email servers are not looking at the displayed From address of the email. They're looking at the Return-Path address.

From: info@dnsdigest.com
To: john@example.com
Date: Dec 23, 2024, 3:37 AM
Subject: Hey long time. What's up!
The displayed From address is not always the same as the Return-Path.

This is why a DMARC record is important. DMARC authentication requires that the domain of the displayed From address matches the Return-Path address (what's called "SPF alignment").

Head over to the DMARC section to dive into your DMARC records.