SPF is an email authentication protocol that allows an organization to specify who is allowed to send email on behalf of the organization in order to enhance the email security. The organization can authorize valid senders in the SPF record published on their Domain Name System (DNS). This record includes the list of authorized senders.

If the SPF checking is bypassed, spammer can send an email with forge sender address (e.g. spammer can send the email to our campus directly with the fake sender address  yourboss@xxxcompany from an unauthorized server which do not list in xxxcompany SPF record such as hacker’s server). It will cause the security threats to our campus.

How does SPF work?

Before receiving an email, our secure email gateway will verify the SPF record by looking up the sender’s domain included the “from address” of the email. If the email fails SPF authentication, a reminder will be inserted in the email. If you see this, be careful in disclosing your personal information! Other organizations in the world that enable the SPF checking will also insert a reminder, quarantine, or even reject such emails for security concerns.

Fix emails that aren’t authenticated

  • An email I received wasn’t authenticated

If an email you get from a trusted source isn’t authenticated, ask the person or company who sent you the email to send the email using the authorized network location that configured by their organization, or they may contact their email system admin to revise their authorized senders list.

  • An email I sent with from address “” wasn’t authenticated

Please noted that it’s not allowed to send an email with from address “” out of our campus network except UM@connect, staffmail and other authorized SMTP services. However, you can make a request to ICTO Help Desk in order to include other SMTP services in our authorized senders list if strong justification can be provided.