Use SPF to Authorise Email Servers
SPF helps confirm which email servers are allowed to send emails for your organisation's domain.
Plain language
The Sender Policy Framework (SPF) is a safety measure to make sure only approved email servers can send emails on behalf of your organisation. This helps prevent scammers from sending fake emails using your business name, which could damage your reputation and lead to people losing trust in your organisation.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
May 2023
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
SPF is used to specify authorised email servers (or lack thereof) for an organisation's domains (including subdomains).
Why it matters
Without SPF DNS records, attackers can spoof your domain in email, enabling phishing, fraud and reputational harm.
Operational notes
Maintain SPF DNS TXT records for all domains/subdomains; update senders when mail services change and validate syntax/lookup limits.
Implementation tips
- The IT team should create a list of all email servers that are currently used by the organisation. They can do this by checking the current email hosting service and any email services connected to the organisation's domain.
- Once the list is created, the IT team should update the Domain Name System (DNS) settings for the organisation's domain to include an SPF record. This record states which servers are authorised to send emails on behalf of the organisation.
- The IT team should use an online SPF checker tool to ensure that the SPF record is correctly set up. This tool will provide feedback on whether the record is configured properly to prevent unauthorised use.
- Management should inform all staff of the importance of using authorised email servers only, to prevent any potential emailing through unauthorised systems. This can be done through a quick training session or a company-wide email.
- The IT team should routinely review and update the SPF record, especially when replacing or adding email servers, to ensure it continues to list only the authorised servers. A regular check, perhaps quarterly, will keep it up to date.
Audit / evidence tips
-
Askthe DNS configuration file: Request a copy of the DNS settings for the organisation's domain
GoodThe SPF record lists all current authorised email servers with a "v=spf1" identifier
-
Askevidence of email server audits: Request documentation showing when and how often email server authorisations are reviewed
GoodDocuments show regular review dates with any amendments clearly noted and actioned
-
Askstaff about email server training: Request records of any staff training concerning email servers and SPF
GoodTraining records indicate comprehensive sessions explaining the importance of authorised email servers
-
Aska test email sent from each authorised server: Request recent emails sent from listed servers to check that they aren't flagged as spam
GoodEmails pass SPF checks and aren't marked as spam
-
Asklogs of rejected emails: Request logs from the email server showing attempts to send emails from unauthorised servers
GoodLogs show blocked attempts from servers not included in the SPF record
Cross-framework mappings
How ISM-0574 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.9 | ISM-0574 requires an organisation to publish and maintain SPF DNS records that explicitly authorise which mail servers may send email for... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.