Why does ImprovMX need SPF?

Last updated on February 20, 2020

The Sender Policy Framework is commonly used for service that sends emails. It allows any service listed in the SPF DNS records of a domain to send an email using that domain’s name.

When forwarding an email, ImprovMX doesn’t really send an email, and since we can’t control the sender, we can’t ask all of them to add ImprovMX in their SPF records.

So why are we asking you, the recipient, to add ImprovMX in your SPF records?

The main reason is to better handle bounces. When we forward an email, it’s important for us to know if the email successfully reached its destination or not.

One way to know that is via bounces; an email sent back to the return path email used in the “MAIL FROM command”. And this is exactly what SPF targets.

If ImprovMX were to use the sender’s email in the MAIL FROM command without having our IPs listed on that sender’s domain, the email might be refused by the receiving server.

But since your domain is handled by ImprovMX at the email level, it’s easier for us to ask you to add ImprovMX on your SPF. That way, when we forward an email, we set the MAIL FROM domain part to yours (the recipient) since we are listed on your domain’s SPF records.

When the receiving server will send a bounce report back to the return path (MAIL FROM value), it will be to your domain, which will be handled by us.

The special structure of the bounce email will be caught by ImprovMX and handled properly.

What about DMARC and domain alignment issues?

DMARC ensures that the sender is truly allowed to send an email. This is done by verifying that SPF and DKIM (when present) are valid and that the domain used in either SPF or DKIM is the same as the sender.

In our case, when using the recipient’s email as the return path instead of the sender’s, we keep the SPF valid (because our servers are listed at the recipient’s domain) but we might break the domain alignment.

This occurs only when the DMARC records are present in an email that doesn’t have DKIM (Because domain alignment is for either SPF or DKIM, if a DKIM header is present, the alignment will be preserved so the email will be accepted).

When this occurs, our servers will handle this situation by rewriting the sender to stay compliant. This is a very specific situation (most domains, when implementing DMARC, already have DKIM in place).