SPF Records: Stopping Attackers From Spoofing Your School's Email

The Problem: Anyone Can Fake Your Email Address

Without email authentication, any server on the internet can send an email claiming to be from principal@yourschool.edu.ph. The "From" address in email is not verified by default — it's like the return address on an envelope: anyone can write anything.

Attackers use this to:

• Send phishing emails to parents pretending to be from school administration
• Email staff pretending to be DepEd headquarters
• Request fraudulent wire transfers from school accounts (Business Email Compromise)
• Spread malware while appearing to come from a trusted school address

Sender Policy Framework (SPF) is a DNS record that lets you declare: *"Only these specific mail servers are authorized to send email from our domain."*

How SPF Works

1. 1Your school publishes an SPF record in DNS (a TXT record on your domain)
2. 2When an email arrives claiming to be from @yourschool.edu.ph, the receiving mail server checks your DNS
3. 3It asks: "Is the sending server listed in the SPF record?"
4. 4If yes → passes SPF. If no → fails SPF (may be rejected or marked as spam)

What an SPF Record Looks Like

```

v=spf1 include:_spf.google.com include:spf.protection.outlook.com ~all

```

Breaking this down:

| Part | Meaning |

|------|---------|

| v=spf1 | This is an SPF record (required) |

| include:_spf.google.com | Google Workspace is authorized to send for us |

| include:spf.protection.outlook.com | Microsoft 365 is also authorized |

| ~all | All other senders soft-fail (marked suspicious, not rejected) |

| -all | All other senders hard-fail (rejected) |

SPF Records for Common School Email Providers

Google Workspace (most DepEd and private schools)

```

v=spf1 include:_spf.google.com ~all

```

Microsoft 365

```

v=spf1 include:spf.protection.outlook.com ~all

```

cPanel / web hosting email

```

v=spf1 a mx include:yourhostingprovider.com ~all

```

(Check your hosting provider's documentation for their SPF include)

Multiple providers

If your school uses Google Workspace for staff but a third-party service for newsletters:

```

v=spf1 include:_spf.google.com include:sendgrid.net ~all

```

How to Add an SPF Record

1. 1Log in to your domain registrar (GoDaddy, Namecheap, Cloudflare, etc.)
2. 2Go to DNS management for your domain
3. 3Add a new TXT record:

- Name/Host: @ (or your domain name)

- Value: your SPF record (e.g., v=spf1 include:_spf.google.com ~all)

- TTL: 3600 (1 hour)

1. 1Save and wait for DNS propagation (up to 24 hours, usually faster)

Important: You can only have one SPF record per domain. If you need to authorize multiple senders, combine them in a single record.

~all vs -all: Which Should Schools Use?

Start with ~all (soft fail):

• Unauthorized senders are flagged but not always rejected
• Less likely to accidentally block legitimate email
• Gives you time to identify all legitimate senders

After confirming all legitimate senders are listed, move to -all (hard fail):

• Unauthorized senders are rejected outright
• Maximum protection against spoofing
• Should be paired with DKIM and DMARC for full coverage

SPF Alone Is Not Enough

SPF only verifies the envelope sender (the technical sending address, not visible to users). Attackers can still spoof the From: header that users actually see. For complete protection, implement all three email authentication standards:

• SPF (this article) — authorizes sending servers
• DKIM — cryptographically signs messages
• DMARC — ties SPF and DKIM together and sets enforcement policy

Check Your Domain

The Site Scanner checks whether your school's domain has a valid SPF record.

Related Resources

• DKIM Email Security — cryptographic signing for your email
• DMARC Email Policy — enforcement and reporting
• Common Attack Vectors in Philippine Schools — how phishing via spoofed email works