The Sender Policy Framework (SPF) is as system designed to identify and prevent emails masking their sender address. The domain administrator will create a TXT Resource Record in their DNS Zone, either containing their valid sending server IP address or hostname. The recipient will then compare the information from the Resource Record against the information stored in the email header. If the information does not match, the recipient can reject the email.


We generally recommend to use the SPF filter. Should you want to enable it for your domain, then please get in touch with our customer support. Before contacting our customer support you will need to decide:


1. Type


You can enable two different types of SPF filter:

  • Type 1: SPF check only gets triggered if an email is received from an internal domain. Then the system will check its own Resource Record.
  • Type 2: SPF check will be triggered on any incoming email and will compare the header against any Resource Record if available.


Which type you want to use is up to you. With type 2 the chances of False Positives (emails are being unrightfully filtered) are increased in case the Resource Record contains mistakes or is out-of-date.  We recommend starting with type 1 and switch to type 2 if necessary. 


2. Decision Matrix


Hornetsecurity's SPF check consists of two successive steps. First the e-mail attribute "SMTP Envelope Sender" is analyzed, then the Message Header Sender. The SPF check can lead to two possible results depending on your previous defined configuration:

  1. Hardfail: the SPF check of the SMTP Envelope Senders results in a mismatch.
    1. e-mail is rejected
    2. e-mail is quarantined
    3. e-mail is valid
  2. Softfail: the SPF check of the Message Header Senders (From) results in a mismatch.
    1. e-mail is rejected
    2. e-mail is quarantined
    3. e-mail is valid


You can define the configuration options a/b/c in the setup along with our support. 


Quarantined e-mails can be released in the Control Panel. To avoid a Softfail customers may add the sender's IP to their Whitelist. In case of a Hardfail the sender's TXT record has to be adjusted. Other exceptions can be specified via the Compliance Filter.


Creating the Resource Record


You can find the necessary information to set the Resource Record from our Onboarding Website.

After you have set the TXT record, please contact our customer support along with the following information:

  • Which type of SPF you want to use
  • For which domain you want to enable SPF
  • Conformation that the Resource Record was set
  • Which configuration (see Decision Matrix) you want to use