---
title: "The History and Evolution of Sender Policy Framework (SPF) | DMARC Report"
description: "The digital landscape is ever-expanding, both in a malicious as well as positive sense."
image: "https://dmarcreport.com/og/blog/the-history-and-evolution-of-sender-policy-framework-spf.png"
canonical: "https://dmarcreport.com/blog/the-history-and-evolution-of-sender-policy-framework-spf/"
---

Quick Answer

The digital landscape is ever-expanding, both in a malicious as well as positive sense. Also, communication is an inevitable part of businesses and operations, and email is a common medium for exchanging messages and information. \[Bad actors have always exploited\](https://blogs.chapman.edu/information-systems/2023/07/06/a-warning-from-the-fbi-how-bad-actors-use-social-engineering-to-enable-hacking-of-academia/) their intelligence and capabilities to impose themselves as trusted entities and fool people into giving up important information or transferring money.

Related: [How to Create an SPF Record](/tools/spf-record-generator/) ·[SPF Record Format](/blog/spf-format-checker-dos-and-donts-for-email-authentication/) 

Share 

[ ](https://www.linkedin.com/sharing/share-offsite/?url=undefined%2Fblog%2Fthe-history-and-evolution-of-sender-policy-framework-spf%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=The%20History%20and%20Evolution%20of%20Sender%20Policy%20Framework%20%28SPF%29&url=undefined%2Fblog%2Fthe-history-and-evolution-of-sender-policy-framework-spf%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=undefined%2Fblog%2Fthe-history-and-evolution-of-sender-policy-framework-spf%2F "Share on Facebook") [ ](https://reddit.com/submit?url=undefined%2Fblog%2Fthe-history-and-evolution-of-sender-policy-framework-spf%2F&title=The%20History%20and%20Evolution%20of%20Sender%20Policy%20Framework%20%28SPF%29 "Share on Reddit") [ ](mailto:?subject=The%20History%20and%20Evolution%20of%20Sender%20Policy%20Framework%20%28SPF%29&body=Check out this article: undefined%2Fblog%2Fthe-history-and-evolution-of-sender-policy-framework-spf%2F "Share via Email") 

![The History and Evolution of Sender Policy Framework (SPF)](https://media.mailhop.org/dmarcreport/images/2022/04/dmarc-alignment-6379.jpg) 

The digital landscape is ever-expanding, both in a malicious as well as positive sense. Also, communication is an inevitable part of businesses and operations, and email is a common medium for exchanging messages and information. [Bad actors have always exploited](https://blogs.chapman.edu/information-systems/2023/07/06/a-warning-from-the-fbi-how-bad-actors-use-social-engineering-to-enable-hacking-of-academia/) their \*\*intelligence and capabilities to impose themselves as trusted entities and fool people into giving up important information or transferring money.

> Compliance is driving a lot of the DMARC adoption we see, says Vasile Diaconu, Operations Lead at DuoCircle. PCI DSS v4.0, Google’s sender requirements, Microsoft’s May 2025 enforcement - our support team fields questions about these mandates daily. The organizations that moved early are already at p=reject. The rest are scrambling.

Per [RFC 7208](https://datatracker.ietf.org/doc/html/rfc7208), SPF evaluation is capped at 10 DNS mechanism lookups and 2 void lookups per check - exceeding either limit produces a `PermError` that fails authentication for every message from the domain. The growing number of [email-based cyber menaces](https://www.infosecurity-magazine.com/news/half-uk-banks-exposing-customers/) led to the genesis of the concept of email authentication and verification to ensure that only trusted and \*\*authorized senders communicate through a company’s email system. All this started in the early 2000s with the brainstorming that brought forth what we call today the SPF or Sender Policy Framework. This was later complemented with the introduction of DomainKeys Identified Mail or [DKIM](https://dmarcreport.com/what-is-dkim/) and Domain-based Message Authentication, Reporting, and Conformance or [DMARC](https://dmarcreport.com/).

Let’s learn about the genesis and evolution of the first [email authentication protocol](https://dmarcreport.com/what-is-dmarc/) that keeps spammers at a distance while boosting your **domain’s authority and deliverability**.

## The Emergence of SPF; A Chronicle of Secure Communication

The need for \*\*email protection through the concept of SPF was felt and discussed in 2000, but not much effort was directed toward this thought at that time. Later, in 2002, Dana Valerie Reese researched and issued an SPF-like technology without the awareness of its previous public mention.

The next day, an American scientist named Paul Vixie published his SPF-like authentication technique, which accelerated the formation of the IETF \*\*Anti-Spam Research Group to develop the protocol for public use. Several experts sent their proposals to IETF, including the [Reverse MX (RMX)](https://reverse-mx.whoisxmlapi.com/lookup#:~:text=Reverse%20MX%20Lookup%3A%20Identify%20the,Example%3A%20smtp.google.com) by Hadmut Danisch and [‘Designated Mailer Protocol’ (DMP)](https://en.citizendium.org/wiki/Designated%5FMailers%5FProtocol) by Gordon Fecyk.

![Dmarc check](https://media.mailhop.org/dmarcreport/images/2023/11/dmarc-check-7524.jpg) 

## The Primary Phase

## December 14, 1997- Ideation

Jim Miller came up with the idea of \*\*verifying SMTP MAIL FROM address using outbound-SMTP DNS records. However, the exact date and occurrence of the event are not confirmed as they are based on Paul Vixie’s statement alone.

## March 27, 2000- Public Mention of the Idea

Bill Cole took the Usenet newsgroup to articulate the idea of developing \*\*Mail Sender DNS records to capture [outgoing email servers of a domain](https://www.website.com/beginnerguide/email/9/3/outgoing-email-server---smtp.ws?source=SC&country=IN).

## June 1, 2002- Publishing of the Mail Transmitter RR Draft by David Green

David Greens put forward and published a \*\*mail-transmitter RR draft specifying the new DNS type MT DNS RR. This first ‘Authorized-By’ draft later found a space in other IETF drafts.

## June 2, 2002- Paul Vixie’s Repudiated Mail From Draft

_Paul Vixie reacted to David Green’s post and sent a draft called “Repudiating MAIL FROM” to name droppers mail list_.

## December 3, 2002- Initial RMX Draft by Hadmudt Danish

Hadmut Danisch developed and published the first version of RMX , which is a DNS RR for simple **SMTP sender authentication**. This draft focused on using the then-latest DNS RR type RMX to publish an IP4 network block or redirection to the **APL record**.

## March 28, 2003- Initial DMP Draft by Gordon Fecyk

Gordon Fecyk drafted Version 00 of Designated Senders Protocols that proposed a [DNSBL](https://inguide.in/what-is-domain-name-system-blacklist-dnsbl/)\-like technology for allowing the use of RFC2821 MAIL FROM. This was followed by the publication of Version 01 and Version 02, which were later renamed to **Designated Mailers Protocol**. A few more years later, it started getting referred to as DMP As of version 03 of \*\*Fecyk-dsprotocol series drafts.

## June 10, 2003- Meng Weng Wong’s SPF-discussion Mail List

Until 2003, SPF was under development and wasn’t publicly available. In June 2003 , Meng Weng Wong stole the limelight by releasing the \*\*first-ever public version of [SPF](https://dmarcreport.com/what-is-spf/) which was then an acronym for ‘Sender Permitted From’ and not ‘Sender Policy Framework.’

## August 18, 2003- Wayne Schlitt’s ‘mx’ Operation

Wayne Schlitt proposed the idea of the [‘mx’ mechanism](http://www.open-spf.org/Mechanism/mx/).

## August 19, 2003- David Saez’s ‘spf include’ Operation

David Saez upgraded the SPF’s scope by introducing the **‘include’ mechanism**. This allowed domain owners to include the sending sources of [third-party vendors](https://panorays.com/blog/what-is-a-third-party-vendor/) who regularly dispatch emails on their behalf.

## October 1, 2003- Beginning of the ASRG Mail From

Developers and technology enthusiasts came together to discuss the merging of SPF into a unified proposal for \*\*checking MAIL FROM to be produced and refined as part of ASRG.

## October 8, 2003- Change of DNS Type

Paul Wouters strongly encouraged the use of the new \*\*DNS RR type instead of overburdening the [TXT record](https://www.digicert.com/faq/dns/what-is-a-txt-record) type. A few days later, Meng also articulated the \*\*urgency for the adoption of the new RR type.

## October 10, 2003- Beginning of the v=spf1 Version

Meng Weng Wong posted refined concepts by unifying ideas proposed by people on open discussion platforms.

## The Second Phase

The second phase of the Sender Policy Framework’s remarkable journey was bringing in the concept of [Sender ID](https://www.easytechjunkie.com/what-is-a-sender-id.htm), which was formed by merging SPF with \*\*Microsoft’s Caller ID for emails.

Sender ID, however, faced challenges related to licensing terms, leading to a division within the industry. _Many organizations chose to support SPF exclusively, and this division marked a pivotal point in SPF’s evolution_. Despite the challenges, SPF continued to evolve, refining its specifications and \*\*addressing limitations to improve its effectiveness in combating email spoofing and phishing attacks.

![Dmarc record](https://media.mailhop.org/dmarcreport/images/2023/11/dmarc-record-21.jpg) 

## The Current SPF Standard

As per the current SPF scenario, it prevents bad actors from sending emails by [impersonating businesses and their representatives](https://www.bloomberg.com/news/articles/2023-08-16/santos-fundraiser-charged-for-impersonating-house-speaker-s-aide#xj4y7vzkg). It allows domain owners to specify which email servers are authorized to send messages on their behalf. SPF has \*\*proven effective in reducing the prevalence of email-based threats, particularly those associated with [domain spoofing](https://www.zerofox.com/glossary/domain-spoofing/). As organizations and individuals increasingly recognize the importance of secure communication, _SPF continues to play a crucial role in the fight against phishing and other malicious activities_.

## SPF Challenges and Future Prospects

SPF’s limitations lie in email forwarding as messages pass through multiple intermediate servers. Moreover, it struggles to be in conjunction with [cloud-based email services](https://www.zdnet.com/article/cloud-based-email-services-everything-you-need-to-know/) as they involve complex email routing mechanisms\*\*.

Complementary authentication mechanisms such as DomainKeys Identified Mail (DKIM) and Domain-based Message Authentication, Reporting, and Conformance (DMARC) have gained prominence in response to these challenges. These mechanisms work in tandem with SPF to provide a more comprehensive and \*\*resilient defense against [email-based threats](https://www.clearnetwork.com/email-threats-to-be-aware-of/).

## Topics

[ email security ](/tags/email-security/)[ SPF ](/tags/spf/) 

![Brad Slavin](https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg) 

[ Brad Slavin ](/authors/brad-slavin/) 

General Manager

Founder and General Manager of DuoCircle. Product strategy and commercial lead for DMARC Report's 2,000+ customer base.

[LinkedIn Profile →](https://www.linkedin.com/in/bradslavin) 

## Take control of your DMARC reports

Turn raw XML into actionable dashboards. Start free - no credit card required.

[Start Free Trial](https://app.dmarcreport.com/) [Check Your DMARC Record](/tools/dmarc-checker/) 

## Related Articles

[  Intermediate 8m  Decoding I-Tag DKIM Vulnerability and Its Impact on Email Deliverability and Security  Jun 6, 2024 ](/blog/decoding-i-tag-dkim-vulnerability-and-its-impact-on-email-security/)[  Intermediate 4m  Getting Rid of Common SPF Errors for Email Security and Delivery  Dec 20, 2023 ](/blog/getting-rid-of-common-spf-errors-for-email-security-and-delivery/)[  Intermediate 3m  The Emergence of DKIM: A Cryptography-Based Email Authentication Protocol  Nov 29, 2023 ](/blog/the-emergence-of-dkim-a-cryptography-based-email-authentication-protocol/)[  Intermediate 5m  What is a DKIM Replay Attack and How to Prevent it?  Apr 10, 2024 ](/blog/what-is-a-dkim-replay-attack-and-how-to-prevent-it/)

```json
{"@context":"https://schema.org","@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138898167","https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.g2.com/products/dmarc-report/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc","https://www.trustradius.com/products/duocircle/reviews"],"aggregateRating":{"@type":"AggregateRating","ratingValue":"4.8","reviewCount":"470","bestRating":"5","worstRating":"1","url":"https://www.g2.com/products/dmarc-report/reviews"},"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://dmarcreport.com/support/"},"knowsAbout":["DMARC","DMARC Reporting","DMARC Aggregate Reports","DMARC Forensic Reports","Sender Policy Framework","DKIM","Email Authentication","Email Security","DNS Management","Email Deliverability"]}
```

```json
{"@context":"https://schema.org","@type":"WebSite","name":"DMARC Report","url":"https://dmarcreport.com","description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","publisher":{"@type":"Organization","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}}
```

```json
[{"@context":"https://schema.org","@type":"BlogPosting","headline":"The History and Evolution of Sender Policy Framework (SPF)","description":"The digital landscape is ever-expanding, both in a malicious as well as positive sense.","url":"https://dmarcreport.com/blog/the-history-and-evolution-of-sender-policy-framework-spf/","datePublished":"2023-11-28T10:34:55.000Z","dateModified":"2026-04-16T15:53:43.000Z","dateCreated":"2023-11-28T10:34:55.000Z","author":{"@type":"Person","@id":"https://dmarcreport.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://dmarcreport.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin is the founder and General Manager of DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. He founded DuoCircle in 2014 and has led the company's growth to 2,000+ customers across its email security product family. Brad's focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DMARC Report","url":"https://dmarcreport.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138898167","https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.g2.com/products/dmarc-report/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc","https://www.trustradius.com/products/duocircle/reviews"],"aggregateRating":{"@type":"AggregateRating","ratingValue":"4.8","reviewCount":"470","bestRating":"5","worstRating":"1","url":"https://www.g2.com/products/dmarc-report/reviews"},"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://dmarcreport.com/support/"},"knowsAbout":["DMARC","DMARC Reporting","DMARC Aggregate Reports","DMARC Forensic Reports","Sender Policy Framework","DKIM","Email Authentication","Email Security","DNS Management","Email Deliverability"]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://dmarcreport.com/blog/the-history-and-evolution-of-sender-policy-framework-spf/"},"articleSection":"intermediate","keywords":"email security, SPF","wordCount":1039,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/dmarcreport/images/2022/04/dmarc-alignment-6379.jpg","caption":"The History and Evolution of Sender Policy Framework (SPF)","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}}]
```

```json
{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://dmarcreport.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://dmarcreport.com/blog/"},{"@type":"ListItem","position":3,"name":"Intermediate","item":"https://dmarcreport.com/intermediate/"},{"@type":"ListItem","position":4,"name":"The History and Evolution of Sender Policy Framework (SPF)","item":"https://dmarcreport.com/blog/the-history-and-evolution-of-sender-policy-framework-spf/"}]}
```