Implement Hard Fail SPF Records for Email Security
Use a strict SPF record to ensure only authorised servers send emails on behalf of the organisation.
Plain language
This control involves setting up a strict set of rules, called an SPF record, which tells the world which email servers are allowed to send emails on your behalf. It matters because if you don't do this, cybercriminals could send fake emails that look like they come from your organisation, leading to scams, data loss, or damage to your reputation.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
May 2023
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
A hard fail SPF record is used when specifying authorised email servers (or lack thereof) for an organisation's domains (including subdomains).
Why it matters
Without a hard fail SPF record (-all), attackers can send mail spoofing your domain, increasing phishing risk, delivery failures and reputational damage.
Operational notes
Publish SPF with hard fail (-all) where appropriate; review senders, keep within 10 DNS lookups, and update promptly when authorised mail services change.
Implementation tips
- IT team should create an SPF record: They need to make a list of all the mail servers that are authorised to send emails for your organisation. This can be done by working with your email service provider to ensure that these servers' IP addresses are included in your SPF record.
- IT manager should update the DNS settings: Once the SPF record is created, they should access the domain registrar's portal and add this record to your domain's DNS settings. This may involve inputting text entries that specify which servers are trusted.
- IT security personnel should test email delivery: After updating DNS settings, they must send test emails to check the SPF record is correctly configured. Ensure emails arrive as expected and check spam folders to confirm none are mistakenly identified as spam.
- System administrator should configure 'hard fail' policy: This means updating the SPF record to use '-all', which tells other servers to reject emails not coming from authorised sources. Set this option to prevent any unauthorised emails from being accepted.
- Office manager should communicate changes: Inform staff about this update as it might affect how internal communication is handled. Explain the reason behind these changes to ensure everyone understands the importance of email security.
Audit / evidence tips
-
Askthe current SPF record entry in the DNS settings: Request a snapshot or download of the DNS configuration from whoever manages the domain
Goodis an SPF record showing specific authorised servers and a hard fail setting
-
Asklogs or reports showing the email delivery tests conducted after the SPF implementation
Goodincludes records showing successful email transmissions and zero unauthorised access attempts
-
Aska change management log: Request documentation that shows when the SPF record was updated and by whom
Goodis a detailed log showing changes, responsible person, and approval evidence
-
Askemails or briefing documents sent to employees about the SPF implementation
Goodincludes clear instructions and understandable rationale communicated to staff
-
Askto see training materials: Request records of any training provided to staff about recognising and reporting suspicious emails
Goodincludes comprehensive training material and records of attendance or completion
Cross-framework mappings
How ISM-1183 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.9 | ISM-1183 requires an organisation to publish and use hard fail SPF DNS records to specify which email servers are authorised to send for ... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.