GreenArrow Documentation

SPF and Sender ID


SPF and Sender ID are two methods of email authentication that domain owners can use to publish a list of senders which are permitted to send mail for their domain. These two authentications mechanisms are similar, but not the same:

  • SPF, or Sender Policy Framework authenticates email based on the Return-Path, or bounce address used in a message. Return-Path, bounce address, mfrom, and envelope-sender address are synonyms.
  • Sender ID uses the concept of scopes to define what it’s authenticating:
    • Sender ID’s mfrom scope authenticates email based on the same criteria as SPF.
    • Sender ID’s PRA (Purported Responsible Address) scope authenticates email based on the address that “most recently caused the message to be delivered”. RFC 4407 defines the logic that’s used in determining what the PRA is. In most cases, if you’re using a Sender header, it’s considered the PRA. If you’re not, then the From address is usually considered the PRA.

Since SPF and Sender ID are not GreenArrow Engine specific topics, they’re only addressed briefly in GreenArrow Engine’s documentation. This page is intended as a resource for pointing you in the right direction on each of these topics. Feel free to contact GreenArrow technical support if you have any questions.

SPF contains some excellent resources on how to configure SPF records. Here are two key links of interest:

Sender ID

We recommend becoming familiar with SPF before investigating Sender ID, since Sender ID builds upon SPF concepts.

Sender ID records can, but don’t have to use the same syntax as SPF records. GreenArrow usually creates SPF style records when configuring Sender ID authentication.

Here is some more detailed information on creating a SenderID record.

Mistakes to Avoid with SPF and Sender ID

  • If your GreenArrow server is not the only server that’s sending mail for a domain, be careful not to exclude other legitimate sources of mail from the domain’s SPF or Sender ID record.
  • Be careful not to create two SPF records for a domain. Only one should exist.
  • Be sure not to create two Sender ID records for a domain which authenticate the same Sender ID Scope.
  • Limit any recursion that’s done via the include: mechanism to the extent possible. In the past, we’ve seen authentication problems occur when more than one level of recursion was used.
  • SPF and Sender ID records are created as TXT records in DNS. Some DNS providers do not support TXT records. The two examples of this that we run into most often are Yahoo and 1&1.