1 - spf check
We want to make sure that the sender address has not been forged/spoofed*.
* = make the message appear from someone other than the actual source
SPF authentication helps us identifying if the message has been sent through an authorized smtp server.
This information is stored in the domain’s dns, that is a safe place, outside the email message.
Only if the message has NOT been authenticated correctly:
the !! (attention) symbol is added to the subject,
one of the following explanatory notes is inserted in the message header, line “X-RealSender”:
:: spf-none :: the sender domain contains no information to authenticate the email
:: spf-softfail :: the smtp server is not listed among the authorized ones but this case should be treated as a "softfail"
:: spf-fail :: the smtp server is not listed among the authorized ones and the email should be rejected or discarded
Sometimes the information recorded at domain level is not correct/understandable.
:: spf-permerror :: a permanent error has occured (eg. badly formatted SPF record)
SPF check is made against the “Mail From” email address, that is hidden in the email headers.
Only the “From” email address is visible. If their root domains are different, this warning is displayed:
:: spf-diff :: the "Mail From" and the "From" root domains are different