Without an SPF record, anyone can send email that appears to come from @yourschool.edu.ph. SPF is a DNS record that tells mail servers which servers are authorized to send on your behalf — and it takes 10 minutes to set up.
Without email authentication, any server on the internet can send an email claiming to be from principal@yourschool.edu.ph. The "From" address in email is not verified by default — it's like the return address on an envelope: anyone can write anything.
Attackers use this to:
Sender Policy Framework (SPF) is a DNS record that lets you declare: "Only these specific mail servers are authorized to send email from our domain."
TXT record on your domain)@yourschool.edu.ph, the receiving mail server checks your DNSv=spf1 include:_spf.google.com include:spf.protection.outlook.com ~all
Breaking this down:
| Part | Meaning |
|------|---------|
| v=spf1 | This is an SPF record (required) |
| include:_spf.google.com | Google Workspace is authorized to send for us |
| include:spf.protection.outlook.com | Microsoft 365 is also authorized |
| ~all | All other senders soft-fail (marked suspicious, not rejected) |
| -all | All other senders hard-fail (rejected) |
v=spf1 include:_spf.google.com ~all
v=spf1 include:spf.protection.outlook.com ~all
v=spf1 a mx include:yourhostingprovider.com ~all
(Check your hosting provider's documentation for their SPF include)
If your school uses Google Workspace for staff but a third-party service for newsletters:
v=spf1 include:_spf.google.com include:sendgrid.net ~all
- Name/Host: @ (or your domain name)
- Value: your SPF record (e.g., v=spf1 include:_spf.google.com ~all)
- TTL: 3600 (1 hour)
Important: You can only have one SPF record per domain. If you need to authorize multiple senders, combine them in a single record.
Start with ~all (soft fail):
After confirming all legitimate senders are listed, move to -all (hard fail):
SPF only verifies the envelope sender (the technical sending address, not visible to users). Attackers can still spoof the From: header that users actually see. For complete protection, implement all three email authentication standards:
The Site Scanner checks whether your school's domain has a valid SPF record.