top of page
  • OpaCyber

Why your outbound email security sucks and what you can do about it - part 2

We know you’ve been waiting anxiously for part 2 of our email explainer, so here it is! The terribly exciting world of SPF 🤦‍♂️

Firstly, what is SPF? OK, we see you champing at the bit to say Sun Protection Factor but at least in this case, it’s not 🤣

SPF is a DNS record that, when you send an email, tells the receiving email system who/what is allowed to send email on your behalf

We should point out that nothing is required to be done with Outlook Personal (bob@outlook[.]com), Google Personal (bob@gmail[.]com) and other Freemail email services as they take care of it for you. This applies to domain-based (organisation) email, so e.g. bob@example[.]com

This, typically, as a minimum would be your email service provider (ESP) of choice. So, perhaps Outlook (Exchange/MS365), Google Workspace, or simply the email as provided with your website hosting by the hosting provider

The problem with SPF is that if an email is forwarded, it “breaks” SPF

To explain that: when an email is sent, there are actually TWO email addresses involved 🤦‍♂️

  1. The “header from”. Think of this as the actual sender

  2. The “envelope from”. Also known as “mfrom” (mail from), “reply-to” and “bounce” (for non-delivery reports, or failures)

Our favourite analogy to explain this is as follows:

In the auld days… people used to send actual, physical, letters written on paper (imagine that!)

Top right of the letter one would put one’s address. Think of this as the “header from”. One would then put the letter (usually, after adding more than just the “header from” 🤦‍♂️) into an envelope and send it via the postal service. Think of the envelope as the “envelope from”

Now comes the part about “breaking” SPF. Here’s an example:

Peter creates a letter, puts it in an envelope and sends it to Paul. Paul opens the letter and realises it would be better if it went to Mary. Paul though, in his haste to open Peter’s much anticipated and exciting letter, ripped the original envelope. No matter. Paul finds one of his own envelopes, inserts Peter’s letter and sends it on to Mary. This is the same as forwarding an email

When Mary receives the letter she recognises Paul’s very distinct envelope, opens it and SURPRISE the letter is actually from Peter. Confusion!

That’s what happens with email forwarding, the “header from” and the “envelope from” don’t match AND THIS CAN CAUSE DELIVERY PROBLEMS

Let’s look at a better system of Sender Verification, Dkim

No, no, not now! There’s only so much excitement we are prepared to unleash on you in one go 🤦‍♂️

Stay tuned for part three - Dkim! 🤣

Previous post, Overview:

Next post, Dkim:


bottom of page