Email Brand Protection is not a new topic to  We have covered almost everything your organization needs to know to protect its email brand through our post about DMARC and DKIM.  To reiterate, email brand protection is covering you from the brand abuse in emails outside of your organization that you cannot see.  These are messages that external entities are sending out to look like your organization, when they really aren’t you.  In some cases these unsolicited emails using your brand are phishing for personal information, and in other cases just trying to sabotage your brand.   We covered the fact that DMARC and DKIM are keys ways to do this, but the other part that you really need to look at is SPF (Spoof).

What is SPF?

SPF stands for Sender Policy Framework, and will not only improve your brand protection it increases the likelihood that your corporate email will not be marked as spam.  This is an external DNS record that your organization uses to validate which entities can send email on your behalf.  In many cases, this may be just your own organization.  However, for some companies this record can be more than just your own company’s information.  Variables that may need to be included in this record are as follows:

  • External Email Gateway Providers – relevant if your organization leverages a cloud-based services to receive your incoming email, and then deliver this to your internal users mailboxes
  • Third party Services in the Cloud – There are many different options of cloud-based services available to sales and marketing teams. If your organization chooses to leverage on these services it would be advisable to add them to your SPF record.  Additionally, if these companies are sending messages to look like they came from your domain then it would be necessary to work with them to acquire a DKIM signature.  This  signature would be added to your external DNS and theirs to ensure that mail will be delivered.


SPF has a couple different options for use.  The DNS entry can end with ~all, if you are looking to do detection only, or –all to move toward hard failure of these messages.  I would strongly encourage you to leverage a 3rd party that has the ability to do reporting on your external SPF detections before moving to hard failure.  A tool like this can be trialed before purchase, and provides insights, reporting, and value into whether or not your brand is being abused and what types of messages will start failing or will be marked as spam when moving to the –all hard failure.

Here is sample of an SPF record that is set for detection only.

v=spf1 ~all

What else should you be thinking about?

SPF works best when used with DKIM from a brand protection perspective.   Here is why?  The message only needs to pass one of the two checks.  So, if your message fails SPF, but passes DMARC/DKIM the message will still make it to its destination.  This ensures that your real organizational email will be by your customers and vendors as expected.  Having both provides checks and balances system to validating the legitimacy of messages that either belong or don’t belong to your brand.

Is use of SPF going to 100% Protect my brand?

No!  Some messages may still get through to the outside world.  While it’s becoming more common to only accept messages that have passed SPF and/or DKIM checks sometimes other organizations do not opt to check for this.  Most Email Gateways have this option today, but if an entity doesn’t have these options enabled then some brand protection issues may still linger.

Concluding Thoughts

Your company reputation matters, so taking the time to understand and learn about DKIM/DMARC and SPF are invaluable to the protection of your brand.  This is important regardless of the size of your organization.  So act now, and start protecting your organizational email brand today!