SPF Records: Stop Criminals Sending Emails as Your Business

Without an SPF record on your domain, any criminal anywhere in the world can send emails that appear to come from your business — and most email servers will accept them without question. That’s email spoofing, and it’s one of the most common starting points for fraud targeting UK businesses.

What Is an SPF Record and Why Does It Matter?

SPF stands for Sender Policy Framework. It is a DNS record — a small piece of text published on your domain — that tells receiving mail servers which computers are authorised to send email on your behalf.

When an email arrives claiming to be from yourcompany.co.uk, the recipient’s mail server checks your SPF record to confirm the sending server is on your approved list. If there is no SPF record, there is no list to check — and any server in the world can impersonate you.

Think of it as an official approved-senders list for your email domain. It is free to set up, takes a few minutes, and closes a significant door that criminals actively probe for.

What Happens When Your SPF Record Is Missing?

When your domain has no SPF record — or a poorly configured one — two types of attack become straightforward:

Business Email Compromise (BEC): A criminal sends an email appearing to come from your accounts department, instructing a supplier or client to change bank details. The email looks genuine because it uses your domain. The payment goes to the criminal.

Customer phishing: Fraudsters send emails to your customers pretending to be you, asking them to log in, confirm card details, or download a file. Your customers are hurt, and your reputation takes the damage — even though you never sent a thing.

The FBI’s Internet Crime Complaint Center reported that BEC attacks cost businesses globally over $2.9 billion in 2023 alone. Many of these attacks succeed because the victim’s email security systems find a plausible-looking sender domain with no SPF policy to contradict it.

The Real-World Impact on UK Businesses

The UK’s National Cyber Security Centre (NCSC) consistently identifies phishing as the most common form of cyber attack on UK businesses. In the 2024 Cyber Security Breaches Survey, 84% of businesses that identified a cyber attack said phishing was involved.

A missing SPF record makes every one of those attacks easier to pull off. Action Fraud reports average losses of thousands of pounds per BEC incident for small businesses — with some SMEs losing tens of thousands in a single fraudulent transfer.

Beyond the direct financial loss, there is reputational damage. If your domain is used to send phishing emails to your clients, they may quietly stop trusting your communications — and you might not know it is happening until someone tells you months later.

How SPF Works Alongside DMARC

SPF is one of three complementary email authentication standards. The others are DKIM and DMARC.

SPF checks whether the sending server is authorised. DKIM adds a cryptographic signature to each email. DMARC is the policy that tells receiving servers what to do when those checks fail — and it is what makes the protections actually enforceable.

SPF on its own has a known limitation: it checks the sending server, not necessarily the visible From address. This is why setting up DMARC alongside SPF is essential. DMARC ties the authentication checks to the address your recipients actually see.

For a broader overview of protecting your domain, see our guide to domain security for small businesses.

What to Do Next

Setting up an SPF record requires access to your domain’s DNS settings — usually through your domain registrar or hosting provider.

Identify every service that sends email from your domain. This includes your main email provider (Microsoft 365, Google Workspace), marketing platforms (Mailchimp, Klaviyo), invoicing software, and any CRM that sends automated email on your behalf.
Create an SPF record listing those authorised senders. A basic record for Microsoft 365 looks like: v=spf1 include:spf.protection.outlook.com -all
Use -all (hard fail) rather than ~all (soft fail) where possible. Hard fail tells receiving servers to reject unauthorised emails outright.
Cover your subdomains. If you do not send email from marketing.yourcompany.co.uk, add a restrictive SPF record there too.
Set up DMARC once SPF is in place — SPF alone does not stop all spoofing.

Not sure whether your domain has a valid SPF record? W3IT’s free security check will tell you instantly — including whether the policy is strong enough to provide real protection. It takes less than a minute.

More on Security

Concerned about your business security?

W3IT provides monitoring, support and practical security guidance for small businesses — wherever you are. Start with a free security check.

Book Free Security Check