Verify Email Authenticity Using SPF
SPF helps confirm if an email really comes from who it claims to, preventing fake emails.
Plain language
The 'Verify Email Authenticity Using SPF' control is about ensuring that emails you receive are truly from who they claim to be, rather than from a scammer or hacker impersonating someone else. This matters because fake emails could trick you into revealing sensitive information or downloading harmful software, potentially leading to data breaches or financial loss.
Framework
ASD Information Security Manual (ISM)
Control effect
Detective
Classifications
NC, OS, P, S, TS
ISM last updated
Sept 2019
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
SPF is used to verify the authenticity of incoming emails.
Why it matters
Without SPF checks, attackers can spoof your domain in inbound email, increasing successful phishing, fraud, and data compromise.
Operational notes
Maintain an accurate SPF TXT record for your domain, update it when senders change, and keep DNS lookups within SPF limits.
Implementation tips
- IT team should configure the email server to use SPF. This involves setting up SPF records in your domain's DNS settings to specify which email servers are permitted to send emails on behalf of your domain. Use a simple guide from the Australian Cyber Security Centre (ACSC) to make sure everything is set up correctly.
-
Askyour IT provider or hosting service to assist with this if you're not technically inclined. They need to declare approved email senders, preventing attackers from sending emails that look like they come from your organisation
- Email administrators should regularly update the SPF records. Whenever new email services or third parties are used to send email on your behalf, ensure these are added to the SPF record. This will prevent delivery issues and maintain security.
- Managers should educate staff on the importance of email authentication. Conduct training sessions to inform employees about how SPF works as a first line of defence against phishing attacks. Provide examples of what legitimate email looks like.
- IT support should monitor for SPF-related errors. Use email gateway reports and alerts to identify and address any issues with non-compliant SPF senders. This ensures legitimate emails aren't accidentally blocked.
Audit / evidence tips
-
Askthe current SPF record configuration: Request access to the DNS settings that show the SPF records
GoodAn inclusive list of only those services that legitimately send emails for the organisation
-
Askemail gateway logs that track SPF failures: Check if rejected emails due to incorrect SPF configurations are documented
GoodLogs showing prompt handling of SPF failures with corrective actions taken
-
Askdocumented procedures for updating SPF records: Request the guidelines on modifying SPF records when needed. Look to see if these documents are comprehensive and easy to follow
GoodA clear procedure with designated responsibilities and steps for updating SPF records
-
Aska list of training materials shared with staff about email authenticity
GoodTraining sessions or materials that clearly explain SPF and its role in protecting against phishing
-
Askreports on external email service inclusions in SPF records: Request documentation of approvals for third-party email services
GoodFormal approval from management for each third-party service added to the SPF record
Cross-framework mappings
How ISM-1151 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.5 | ISM-1151 requires organisations to verify the authenticity of incoming emails using SPF to reduce spoofing and impersonation risk | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.