Sender Policy Framework and Sender ID

What is the difference between Sender Policy Framework and Sender ID?

ByBrad Slavin
Sender Policy Framework and Sender ID
DMARC Report
What is the difference between Sender Policy Framework and Sender ID?
Loading
/

Here’s a harsh truth: Email is not inherently secure, and it never was! 

Back in 1995, when the primitive version of SMTP (Simple Mail Transfer Protocol) was introduced, it was only supposed to ensure that emails were being delivered; there was nothing done to confirm their authenticity and legitimacy

It was this lack of security that brought a wave of cyber threats like phishing, spoofing, ransomware, etc. Since then, cybercriminals have left no opportunity to target unsuspecting users, businesses, and even government organizations by exploiting the vulnerabilities of email communication. They have gone so far as to impersonate trusted senders, trick users into divulging sensitive information, or deceive them into downloading infected files on their systems. These vile tactics brought them a step closer to their ultimate goals— to steal sensitive data, compromise financial assets, and spread malware across networks

spread malware across networks

With the stakes so high and the defenses so low, the need for strong security measures became imperative. This is what led to the birth and evolution of protocols like Sender Policy Framework (SPF) and Sender ID.

Out of the two protocols, the former— SPF is widely adopted and remains a key component of modern email authentication, whereas the latter—Sender ID— has become archaic. 

Let us take a look at how SPF and Sender ID are different and how the former stood the test of time, adapting to evolving cyber threats

What is Sender Policy Framework (SPF)?

SPF is an email authentication mechanism that stops spammers from spoofing a domain’s email address to send spam emails. It does this by allowing domain owners to publish an SPF record within the Domain Name System (DNS), defining the mail servers that are allowed to send emails on their behalf.

spam emails

So, when an email is sent, the recipient’s mail server validates the SPF record to determine if the IP of the sending server is out of the ones specified in the domain’s SPF policy. In case the IP is not recognized, the mail can be spam-marked, rejected, or filtered further.

What is Sender ID?

Sender ID was an email authentication mechanism created by Microsoft to avoid email spoofing and phishing attacks. It was just like SPF but used a different validation method. Rather than checking the MAIL FROM (Return-Path) address alone like SPF, Sender ID tried to authenticate the FROM header—the sender’s address shown to the recipient.

Unlike SPF, which only verifies the MAIL FROM (Return-Path) address—a temporary address used during the transmission of an email—Sender ID attempted to verify the Purported Responsible Address (PRA) or the sender’s address appearing in the recipient’s inbox. Microsoft believed that this additional check would work better to prevent phishing attacks where the FROM address is spoofed by spammers to lead people to believe that the email is from a trusted source.

phishing attacks

To implement Sender ID, domain owners needed to create an SPF2 record in the DNS, similar to SPF. When an email was received, the receiving mail server would check this SPF2 record to determine whether the sending IP was permitted to send mail on behalf of the domain. If the email failed to authenticate, it could be marked as spam, rejected, or further inspected.

How are the two different from each other?

SPF (Sender Policy Framework) and Sender ID were both designed to stop email spoofing, yet they function differently. Here is how they are different:

What they check

  • SPF verifies whether the email is originating from an approved mail server by checking the MAIL FROM (Return-Path) address, which is utilized when the email is being sent.
  • Sender ID verifies the FROM header, which is the address the recipient has in their inbox.
DNS records

How they work

  • SPF checks the MAIL FROM (Return-Path) address with the sender’s DNS records to check whether the mail server is legitimate. When the verification fails, the message can be marked as spam or rejected.
  • Sender ID authenticates the FROM header (the displayed sender’s address) with an SPF2 record. If the sender is not legitimate, the message can be blocked or identified as spam.

How do they work with email forwarding 

  • SPF is compatible with email forwarding since it verifies the Return-Path, which can be modified when emails are forwarded.
  • Sender ID fails when it comes to email forwarding because it tests the FROM header, which does not change when an email is forwarded, resulting in false failures.
Email service providers

How widespread is the adoption 

SPF was a widely adopted standard for email authentication and is still used today. Email service providers like Google and Yahoo encourage security teams to include this protocol in their security strategy framework to ensure that no one sends unauthorized emails on their behalf. It has become a staple in their cybersecurity strategy and is deployed in tandem with DKIM and DMARC

Sender ID, however, was actively marketed by Microsoft but never got acceptance from the industry. This is because it had problems being compatible with mailing lists and email forwarding

Why did SPF survive, but Sender ID did not?

As we discussed earlier, SPF became a widely adopted protocol, but Sender ID eventually became obsolete. The reasons behind this are compatibility, industry support, and technical reliability

forwarded messages

When SPF was developed, it was created as an open standard, which means it could be used by all organizations for major email providers. However, this wasn’t the case with Microsoft’s Sender ID. Microsoft pushed Sender ID primarily within its own ecosystem, but it failed to gain broader industry support. 

Another reason Sender ID failed was due to its technical issues and incompatibility with common email practices like mailing lists and forwarding. Unlike SPF, which verified the MAIL FROM (Return-Path) address and handles forwarded messages well, Sender ID verified the FROM header (the address that appears as the sender). This caused problems as when an email was forwarded, the FROM address was not being updated, resulting in false failures where legitimate emails were being rejected or marked as spam.

Need help configuring SPF for your domain? Get in touch with us today! 

Similar Posts

Cybersecurity News – Netflix Phishing Surge, Healthcare BEC Arrests, Canadian Schools Hit by Cyber-Attack

Cybersecurity News – Netflix Phishing Surge, Healthcare BEC Arrests, Canadian Schools Hit by Cyber-Attack

ByBrad Slavin

Cybersecurity As emails continue to remain the primary mode of business communication, they also are threat actors’ favorite means to wreak havoc on organizational information assets. Following are some of the recent incidents where attackers bypassed common email security standards and targeted users. Netflix Phishing Emails are Up By 78% Security researchers warned that corporate…

Swift Fan’s Spending Spree, WPP CEO’s Deepfake Scam, Russian Ransomware Extorts Millions!

Swift Fan’s Spending Spree, WPP CEO’s Deepfake Scam, Russian Ransomware Extorts Millions!

ByBrad Slavin

We are back again with another round of cybersecurity news that will keep you updated about the latest scams and frauds around the globe. Nowadays, even being a Taylor Swift fan, or a Swiftie, as they call it in slang, is not safe—thanks to threat actors and their scams. Also, even industry biggies and businessmen…

Why is sending emails without DKIM a risk you can’t afford?

Why is sending emails without DKIM a risk you can’t afford?

ByBrad Slavin

Sending emails without signing them with DKIM is a bad idea because it weakens your email security and increases the chances of your emails being rejected or marked as spam. It’s a security and deliverability risk that is not worth taking, especially when you know Google, Yahoo, and other email service providers require bulk senders…

How to Create a DMARC Record in GoDaddy for Enhanced Email Security

How to Create a DMARC Record in GoDaddy for Enhanced Email Security

ByBrad Slavin

To create a DMARC record in GoDaddy, log into your account, navigate to DNS Management for your domain, and add a new TXT record with the name “_dmarc” and the value “v=DMARC1; p=quarantine; pct=100; rua=mailto:your-email@example.com” (replacing ‘your-email@example.com’ with your administrator email). Finally, save your changes, keeping in mind that DNS updates may take up to…