Topic

Sender Policy Framework

Applicable to

all

History

Priority

must

Jun 2023

SPF is used to specify authorised email servers (or lack thereof) for an organisation’s domains (including subdomains).

A minor grammatical change was made to the existing control relating to Sender Policy Framework (SPF) being used to specify authorised email servers (or lack thereof) for an organisation’s domains (including subdomains).

Sep 2022

SPF is used to specify authorised email servers (or lack thereof) for all domains (including subdomains).

xisting controls covering ‘domains’ were amended to ‘domains (including subdomains)’ to avoid confusion as to whether subdomains were in scope or out of scope for these controls.

Mar 2022

SPF is used to specify authorised email servers (or lack thereof) for all domains.

Miscellaneous changes were made to rationale and recommendations throughout the publication to clarify content without changing intent. This included a review from the Guidelines for System Hardening chapter through to the Guidelines for Data Transfers chapter.

Oct 2019

SPF is used to specify authorised email services (or lack thereof) for all domains.

Security control 0574 was modified to remove references to Sender ID and to ensure that SPF is specified for all domains, not just those that have email servers.

Sep 2019

Email servers are specified using SPF or Sender ID.

2015

Agencies must specify their mail servers using SPF or Sender ID.

2010

Agencies must specify their mail severs using SPF.

2008

Agencies should implement the email Sender Policy Framework (SPF) following the recommendations in request for comments (RFC) 4408.