--- title: "The key differences between Sender Policy Framework and Sender ID | DuoCircle" description: "The key differences between Sender Policy Framework and Sender ID." image: "https://www.duocircle.com/images/og-default.png" canonical: "https://www.duocircle.com/blog/email-security/the-key-differences-between-sender-policy-framework-and-sender-id/" --- Quick Answer SPF and Sender ID both tried to solve the same problem (authenticating which servers may send for a domain) but evaluated different headers. SPF checks the envelope sender (MAIL FROM / Return-Path) against a v=spf1 TXT record in DNS, returning pass, fail, softfail, or neutral. Sender ID, proposed by Microsoft in 2004, evaluated the visible Purported Responsible Address from headers like From, Sender, or Resent-From against an spf2.0 record. Sender ID failed in the market for three reasons: a Microsoft-held patent licensed under terms incompatible with open-source projects, redundancy with SPF (most domains kept a v=spf1 record), and the rise of DMARC, which already aligns the From domain with SPF and DKIM. Today only SPF survives, paired with DKIM and DMARC. Sender ID was deprecated. The key differences between Sender Policy Framework and Sender ID Your browser does not support the audio element. [ Download episode](https://media.mailhop.org/duocircle/images/2025/02/The-key-differences-between-Sender-Policy-Framework-and-Sender-ID.mp3) Share [ ](https://www.linkedin.com/sharing/share-offsite/?url=undefined%2Fblog%2Femail-security%2Fthe-key-differences-between-sender-policy-framework-and-sender-id%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=The%20key%20differences%20between%20Sender%20Policy%20Framework%20and%20Sender%20ID&url=undefined%2Fblog%2Femail-security%2Fthe-key-differences-between-sender-policy-framework-and-sender-id%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=undefined%2Fblog%2Femail-security%2Fthe-key-differences-between-sender-policy-framework-and-sender-id%2F "Share on Facebook") [ ](https://reddit.com/submit?url=undefined%2Fblog%2Femail-security%2Fthe-key-differences-between-sender-policy-framework-and-sender-id%2F&title=The%20key%20differences%20between%20Sender%20Policy%20Framework%20and%20Sender%20ID "Share on Reddit") [ ](mailto:?subject=The%20key%20differences%20between%20Sender%20Policy%20Framework%20and%20Sender%20ID&body=Check out this article: undefined%2Fblog%2Femail-security%2Fthe-key-differences-between-sender-policy-framework-and-sender-id%2F "Share via Email") ![Sender Policy Framework](https://media.mailhop.org/duocircle/images/2025/02/sender-policy-framework-9090.jpg) The primitive version of SMTP (Simple Mail Transfer Protocol) didn’t have a feature to verify the email sender’s authenticity, leaving room for phishing and spoofing instances. Over time, emails became one of the most exploitable attack vectors. It was easier for [threat actors](https://www.darkreading.com/cyberattacks-data-breaches/asian-threat-actors-use-new-techniques-to-attack-familiar-targets) to modify the ‘From’ field in an email to impersonate banks, governments, and well-known brands. They would send millions of potentially [fraudulent emails](https://hackread.com/hackers-fake-eset-emails-israeli-wiper-malware/) each day, urging recipients to ‘reset their password’ or ‘**verify their account**,’ leading to credential theft. This led to the evolution of the Sender Policy Framework (SPF) and Sender ID. Both of these solutions prevent email-based [phishing and spoofing](https://www.bleepingcomputer.com/news/google/google-now-blocks-spoofed-emails-for-better-phishing-protection/) attacks; however, Sender ID became irrelevant over time. Let’s see how these two are different and why [SPF](/resources/what-is-spf) **prevailed over Sender ID**. ## What is SPF? SPF is an [email authentication](/resources/email-authentication) protocol that the domain owner deploys to ensure that only **authorized people send emails** on their behalf. _When SPF is implemented for your domain, unsolicited and unauthorized emails are either marked as spam by the recipient’s mailbox or are rejected_. It helps recipients stay away from phishing and spoofing emails sent in the name of your reputed business, shielding your brand image and ensuring [email deliverability](/a-guide-on-email-deliverability). This improves email deliverability, as legitimate emails are less likely to be marked as spam. SPF also strengthens a **company’s brand reputation** by ensuring that only authorized sources can send emails using its domain, protecting users from [impersonation attacks](https://www.bleepingcomputer.com/news/security/hackers-impersonate-us-government-agencies-in-bec-attacks/). When combined with DKIM and DMARC, SPF plays a crucial role in comprehensive email authentication, making it harder for [cybercriminals](https://www.infosecurity-magazine.com/news/cybercriminals-graphics-files/) to exploit email as an attack vector. [![email deliverability](https://media.mailhop.org/duocircle/images/2025/02/DMARC-report-service-4188.jpg)](https://media.mailhop.org/duocircle/images/2025/02/DMARC-report-service-4188.jpg) ## How does SPF work? Here is how SPF works to ensure only emails sent by authorized mail servers **reach recipients’ inboxes**. ### Step 1: Domain owner publishes an SPF record The **domain owner** creates an SPF record in the DNS (Domain Name System) settings of their domain. This record specifies which [mail servers](https://www.activecampaign.com/glossary/mail-server) are allowed to send emails on behalf of the domain. This is what a **standard SPF record** looks like- v=spf1 ip4:192.168.1.1 include:\_spf.google.com -all Where, - _v=spf1 indicates the SPF version in use. As of now, there is only one version of SPF_. - Ip4:192.168.1.1 is the **IP address officially authorized** to be used for sending emails. - include:\_spf.google.com includes Google’s SPF policy (useful for [Gmail and Google Workspace](/email-security/simplifying-google-workspace-email-security)). - \-all instructs the receiving mailbox to reject emails sent from unauthorized sources. ### Step 2: Email sent from the domain When a sender tries to send an email (e.g., **[user@yourdomain.com](mailto:user@yourdomain.com)**), the recipient’s mail server checks the SPF record of ‘yourdomain.com’ to verify the sender. ### Step 3: Recipient mail server performs SPF lookup The receiving mail server extracts the [Return-Path](https://emaillabs.io/en/what-is-return-path/) (Envelope From) domain from the [email headers](https://proton.me/blog/what-are-email-headers). Then, it queries the **domain’s DNS records** to find the corresponding SPF record. ### Step 4: IP address validation _The receiving mail server checks if the sender’s IP address is mentioned as an authorized sender_. If yes, the email is accepted; otherwise, it’s either rejected or placed in the [spam folder](https://cybernews.com/news/microsofts-breach-notification-emails-end-up-in-spam-folder/). ### Step 5: SPF policy applied If the email fails SPF checks, one of the following actions is taken- - _If the domain owner has mentioned \~all (Soft fail policy) in their SPF record, then the unauthorized email is rejected_. - If the domain owner has mentioned -all (Hard fail policy) in their SPF record, then the unauthorized [email is marked as spam](https://pressgazette.co.uk/publishers/digital-journalism/facebook-spam-posts-independent-small-news-publishers/). - If the domain owner has mentioned ?all (Neutral policy) in their SPF record, then the unauthorized email is treated normally. It’s not at all advised to use this policy as it defies the whole **purpose of securing emails** through SPF. ### Step 6: Email handling decision _If the email fails the SPF authentication checks, it is subjected to one of the above policies_. If it passes, it undergoes **additional security checks**, such as DKIM and [DMARC](/resources/what-is-dmarc), before being delivered to the inbox. ## What is Sender ID? Microsoft introduced sender ID in the **early 2000s as part** of its broader initiative to secure [email communication](https://www.tidio.com/blog/email-communication/) by verifying the sender’s legitimacy. Instead of just checking the Return-Path address, it checks the Purported Responsible Address of the email. Although sender ID is an obsolete protocol, its role in shaping modern authentication methods can’t be ignored. ## How does Sender ID work? The domain owner published a Sender ID record in their [DNS settings](https://www.ntchosting.com/encyclopedia/dns/settings/), specifying all the mail servers they authorized to be used for sending emails on their behalf. When the receiving server got the email, it extracted the PRA domain and performed a [DNS lookup](https://www.digicert.com/faq/dns/how-does-dns-lookup-work) to retrieve the **sender ID record**. It then compared the sender’s IP against the authorized list, applying a Pass, Fail, SoftFail, or Neutral policy. If Sender ID validation failed, the email could be rejected or marked as spam. ## The key difference | Feature | SPF | Sender ID | | --------------------- | ------------------------------- | --------------------------------------------------- | | Authentication target | Checks sending mail server’s IP | Verifies the ‘From’ address | | Record type | TXT DNS records | TXT or SPF records | | Compatibility | Works with all mail servers | Works with all mail servers | | Adoption | Widely adopted | Faced resistance due to Microsoft’s licensing model | | Standardization | RFC 4408, later RFC 7208 | Proposed but not widely accepted | [![Purported Responsible Address](https://media.mailhop.org/duocircle/images/2025/02/office-365-migration-service-1232.jpg)](https://media.mailhop.org/duocircle/images/2025/02/office-365-migration-service-1232.jpg) ## Why did Sender ID become obsolete and SPF prevailed? The main reason why Sender ID became obsolete is that it wasn’t compatible with modern systems. Industries didn’t openly adopt it because of its **proprietary licensing concerns**. Since the Sender ID relied on the Purported Responsible Address (PRA), there were **conflicts with existing** [email forwarding](https://en.wikipedia.org/wiki/Email%5Fforwarding) and [mailing list](https://www.one.com/en/email/what-is-a-mailing-list) mechanisms. This also triggered deliverability issues for the companies. SPF, on the other hand, is capable of working with the existing SMTP infrastructure, which makes its **deployment and management** more effortless. Furthermore, as [email security](/) evolved with [DKIM](/resources/what-is-dkim) and DMARC, SPF seamlessly integrated into these frameworks, solidifying its role in modern email authentication, while Sender ID faded into obsolescence. ## Topics DKIMDMARCemail headeremail securitySecurityspfSPF record ![Brad Slavin](https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg) Brad Slavin General Manager General Manager at DuoCircle. Product strategy and commercial lead across the email security portfolio. ## Secure your email infrastructure Protect, authenticate, and deliver. Contact our team to find the right solution. [Contact Sales](/contact/) [Explore Products](/products/) ## Related Articles [ Email Security 6m Building a zero-trust security model for emails Dec 11, 2024 ](/blog/email-security/building-a-zero-trust-security-model-for-emails/)[ Email Security 7m How email authentication helps you prove sender identity under ISO 27001 Nov 18, 2025 ](/blog/email-security/how-email-authentication-helps-verify-sender-identity-for-iso-27001/)[ Email Security 6m How do you achieve SPF alignment to enhance email security and deliverability? Mar 25, 2025 ](/blog/email-security/how-spf-alignment-improves-email-security-and-deliverability/)[ Email Security 5m How to pass Microsoft’s email authentication requirements? Jul 11, 2025 ](/blog/email-security/how-to-pass-microsofts-email-authentication-requirements/) ```json {"@context":"https://schema.org","@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}],"sameAs":["https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.facebook.com/duocirclellc","https://www.g2.com/products/phish-protection-by-duocircle/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://support.duocircle.com"},"knowsAbout":["Email Security","Email Authentication","SPF","DKIM","DMARC","Phishing Protection","Spam Filtering","SMTP Relay","Email Deliverability","Email Forwarding"]} ``` ```json {"@context":"https://schema.org","@type":"WebSite","name":"DuoCircle LLC","url":"https://www.duocircle.com","description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}} ``` ```json [{"@context":"https://schema.org","@type":"BlogPosting","headline":"The key differences between Sender Policy Framework and Sender ID","description":"The key differences between Sender Policy Framework and Sender ID.","url":"https://www.duocircle.com/blog/email-security/the-key-differences-between-sender-policy-framework-and-sender-id/","datePublished":"2025-02-11T19:29:42.000Z","dateModified":"2025-04-10T17:59:53.000Z","dateCreated":"2025-02-11T19:29:42.000Z","author":{"@type":"Person","@id":"https://www.duocircle.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://www.duocircle.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin runs DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. His focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://www.duocircle.com/blog/email-security/the-key-differences-between-sender-policy-framework-and-sender-id/"},"articleSection":"email-security","keywords":"DKIM, DMARC, email header, email security, Security, spf, SPF record","wordCount":976,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/duocircle/images/2025/02/sender-policy-framework-9090.jpg","caption":"Sender Policy Framework","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}},{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https://www.duocircle.com/blog/"},{"@type":"ListItem","position":2,"name":"Email Security"},{"@type":"ListItem","position":3,"name":"The key differences between Sender Policy Framework and Sender ID","item":"https://www.duocircle.com/blog/email-security/the-key-differences-between-sender-policy-framework-and-sender-id/"}]}] ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://www.duocircle.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://www.duocircle.com/blog/"},{"@type":"ListItem","position":3,"name":"Email Security","item":"https://www.duocircle.comundefined"},{"@type":"ListItem","position":4,"name":"The key differences between Sender Policy Framework and Sender ID","item":"https://www.duocircle.com/blog/email-security/the-key-differences-between-sender-policy-framework-and-sender-id/"}]} ``` ```json {"@context":"https://schema.org","@type":"BlogPosting","headline":"The key differences between Sender Policy Framework and Sender ID","description":"The key differences between Sender Policy Framework and Sender ID.","url":"https://www.duocircle.com/blog/email-security/the-key-differences-between-sender-policy-framework-and-sender-id/","datePublished":"2025-02-11T19:29:42.000Z","dateModified":"2025-04-10T17:59:53.000Z","dateCreated":"2025-02-11T19:29:42.000Z","author":{"@type":"Person","@id":"https://www.duocircle.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://www.duocircle.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin runs DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. His focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://www.duocircle.com/blog/email-security/the-key-differences-between-sender-policy-framework-and-sender-id/"},"articleSection":"email-security","keywords":"DKIM, DMARC, email header, email security, Security, spf, SPF record","wordCount":976,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/duocircle/images/2025/02/sender-policy-framework-9090.jpg","caption":"Sender Policy Framework","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}} ```